Lecture Notes in 
Artificial Intelligence 1761 

Subseries of Lecture Notes in Computer Science 



Ricardo Caferra Gernot Salzer (Eds.) 



Automated Deduction 
in Classical and 
Non-Classical Logics 

Selected Papers 




Springer 




Lecture Notes in Artificial Intelligence 1761 

Subseries of Lecture Notes in Computer Science 
Edited by J. G. Carbonell and J. Siekmann 

Lecture Notes in Computer Science 

Edited by G. Goos, J. Hartmanis and J. van Leeuwen 




Springer 

Berlin 

Heidelberg 

New York 

Barcelona 

Hong Kong 

London 

Milan 

Paris 

Singapore 

Tokyo 




Ricardo Caferra Gemot Salzer (Eds.) 



Automated Deduction 
in Classical and 
Non-Classical Logics 



Selected Papers 




Springer 




Series Editors 

Jaime G. Carbonell, Carnegie Mellon University, Pittsburgh, PA, USA 
Jorg Siekmann, University of Saarland, Saarbriicken, Germany 



Volume Editors 

Ricardo Caferra 
Leibniz-IMAG 

46 Avenue Felix Viallet, 38031 Grenoble cedex, France 
E-mail: Ricardo.Caferra@imag.fr 

Gemot Salzer 

Technical University of Vienna 

FavoritenstraBe 9-11/E185-2, 1040 Vienna, Austria 

E-mail: salzer@logic.at 



Cataloging-in-Publication data applied for 

Die Deutsche Bibliothek - CIP-Einheitsaufnahme 

Automated deduction in classical and non-classical logics / 

Ricardo Caferra ; Gemot Salzer (ed.). - Berlin ; Fleidelberg ; New 
York ; Barcelona ; Hong Kong ; London ; Milan ; Paris ; Singapore ; 
Tokyo : Springer, 2000 

(Lecture notes in computer science ; Vol. 1761 : Lecture notes in 
artificial intelligence) 

ISBN 3-540-67190-0 



CR Subject Classification (1998): 1.2.3, F.4.1, F.3.1 



ISSN 0302-9743 

ISBN 3-540-67190-0 Springer- Verlag Berlin Heidelberg New York 



This work is subject to copyright. All rights are reserved, whether the whole or part of the material is 
concerned, specifically the rights of translation, reprinting, re-use of illustrations, recitation, broadcasting, 
reproduction on microfilms or in any other way, and storage in data banks. Duplication of this publication 
or parts thereof is permitted only under the provisions of the German Copyright Law of September 9, 1965, 
in its current version, and permission for use must always be obtained from Springer- Verlag. Violations are 
liable for prosecution under the German Copyright Law. 

Springer- Verlag is a company in the specialist publishing group BertelsmannSpringer 
(c) Springer-Verlag Berlin Heidelberg 2000 
Printed in Germany 

Typesetting: Camera-ready by author 

Printed on acid-free paper SPIN 10719651 06/3142 5 43 2 1 0 




Preface 



This volume is a collection of papers on automated deduction in classical, modal, 
and many-valued logics, with an emphasis on first-order theories. Some authors 
bridge the gap to higher-order logic by dealing with simple type theory in a first- 
order setting, or by resolving shortcomings of first-order logic with the help of 
higher-order notions. Most papers rely on resolution or tableaux methods, with 
a few exceptions choosing the equational paradigm. 

In its entirety the volume is a mirror of contemporary research in first-order 
theorem proving. One trend to be observed is the interest in effective decision 
procedures. The main aim of first-order theorem proving was and still is to 
demonstrate the validity or unsatisfiability of formulas, by more and more so- 
phisticated methods. Within the last years, however, the other side of the medal - 
falsifiability and satisfiability - has received growing attention. Though in gen- 
eral non-terminating, theorem provers sometimes act as decision procedures on 
subclasses of first-order logic. In particular cases their output can even be used to 
extract finite representations of models or counter-examples. Another develop- 
ment is the extension of deduction techniques from classical logic to many- valued 
and modal logics. By suitably generalizing classical concepts many results carry 
over to non-classical logics. This line of research is stimulated by artificial intel- 
ligence with its need for more expressive logics capable of modeling real-world 
reasoning. 

From a formal point of view this volume comprises two types of papers, 
invited and contributed ones. Gilles Dowek, Melvin Fitting, Deepak Kapur, 
Alexander Leitsch, and David Plaisted accepted our invitation to present recent 
developments in and their view of the field. Contributed papers on the other 
hand underwent a two-staged selection process. The first selection took place 
when choosing extended abstracts for presentation at FTP’ 98 - International 
Workshop on First-Order Theorem Proving held in November 1998 in Vienna. 
Authors of accepted abstracts were invited to submit full versions, which were 
again thoroughly refereed. Therefore this volume owes much to those people 
who helped evaluating the submissions. In particular we would like to thank 
Maria Paola Bonacina, Adel Bouhoula, Anatoli Degtyarev, Jurgen Dix, Uwe 
Egly, Christian G. Fermuller, Ulrich Furbach, Fausto Giunchiglia, Rajeev Gore, 
Bernhard Gramlich, Miki Hermann, Jielr Hsiang, Florent Jacquemard, Alexan- 
der Leitsch, Reinhold Letz, Georg Moser, Hans Jurgen Olrlbach, David Plaisted, 
Michael Rusinowitch, Rolf Socher-Ambrosius, Jane Spurr, Mark Stickel, Andrei 
Voronkov, and Hantao Zhang for their efforts and support. 



August 1999 



Ricardo Caferra and Gernot Salzer 




Table of Contents 



Invited Papers 

Automated Theorem Proving in First-Order Logic Modulo: On the 

Difference between Type Theory and Set Theory 1 

Gilles Dowek (INRIA-Rocquencourt) 

Higher-Order Modal Logic — A Sketch 23 

Melvin Fitting (Lehman College, CUNY) 

Proving Associative-Commutative Termination Using RP O-Compatible 

Orderings 39 

Deepak Kapur (University of New Mexico), 

G. Sivakumar (Indian Institute of Technology) 

Decision Procedures and Model Building, or How to Improve Logical 

Information in Automated Deduction 62 

Alexander Leitsch (Technische Universitat Wien) 

Replacement Rules with Definition Detection 80 

David A. Plaisted (University of North Carolina at Chapel Hill), 

Yunshan Zhu (University of North Carolina at Chapel Hill) 

Contributed Papers 

On the Comlexity of Finite Sorted Algebras 95 

Thierry Boy de la Tour (LEIBNIZ-IMAG, CNRS) 

A Further and Effective Liberalization of the (5-Rule in Free Variable 

Semantic Tableaux 109 

Domenico Cantone (University di Catania), 

Marianna Nicolosi Asmundo (University di Catania) 

A New Fast Tableau-Based Decision Procedure for an Unquantified 

Fragment of Set Theory 126 

Domenico Cantone (Universita di Catania), 

Calogero G. Zarba (Stanford University) 

Interpretation of a Mizar-Like Logic in First-Order Logic 137 

Ingo Dahn (University of Koblenz-Landau) 

An G((n-log n) 3 )-Time Transformation from Grz into Decidable Fragments 

of Classical First-Order Logic 152 

Stephane Demri (LEIBNIZ- CNRS), 

Rajeev Gore (Australian National University) 




VIII Table of Contents 



Implicational Completeness of Signed Resolution 167 

Christian G. Fermiiller (Technische Universitat Wien) 

An Equational Re-engineering of Set Theories 175 

Andrea Formisano (University “La Sapienza ” of Rome), 

Eugenio Omodeo (University of L’Aquila) 

Issues of Decidability for Description Logics in the Framework of 

Resolution 191 

Ullrich Hustadt (Manchester Metropolitan University ) , 

Renate A. Schmidt (Manchester Metropolitan University) 

Extending Decidable Clause Classes via Constraints 206 

Reinhard Pichler (Technische Universitat Wien) 

Completeness and Redundancy in Constrained Clause Logic 221 

Reinhard Pichler (Technische Universitat Wien) 

Effective Properties of Some First-Order Intuitionistic Modal Logics 236 

Aida Pliuskeviciene (Vilnius Institute of Mathematics and Informatics) 

Hidden Congruent Deduction 251 

Grigore Ro§u (University of California at San Diego), 

Joseph Goguen (University of California at San Diego) 

Resolution-Based Theorem Proving for Aff„-Logics 267 

Viorica Sofronie-Stokkermans (Max- Planck- Institut fur Informatik, 
Saarbriicken) 

Full First-Order Sequent and Tableau Calculi with Preservation of 

Solutions and the Liberalized (5-Rule but without Skolemization 282 

Claus-Peter Wirth (Universitat Dortmund) 

Author Index 299 




Automated Theorem Proving in First-Order 
Logic Modulo: On the Difference between Type 
Theory and Set Theory 



Gilles Dowek 



INRIA-Rocquencourt, B.P. 105, 78153 Le Chesnay Cedex, France 

Gilles .Dowek@inria.fr 



http : / / coq. inria.fr/~dowek 



Abstract. Resolution modulo is a first-order theorem proving method 
that can be applied both to first-order presentations of simple type theory 
(also called higher-order logic) and to set theory. When it is applied to 
some first-order presentations of type theory, it simulates exactly higher- 
order resolution. In this note, we compare how it behaves on type theory 
and on set theory. 



Higher-order theorem proving (e.g. lriglrer-order resolution [1,17,18]) is different 
from first-order theorem proving in several respects. First, the first-order unifi- 
cation algorithm has to be replaced by the higher-order one [19,20]. Even then, 
the resolution rule alone is not complete but another rule called the splitting rule 
has to be added. At last, the skolemization rule is more complicated [24,25]. 

On the other hand, higher-order logic, also called simple type theory, can be 
expressed as a first-order theory [7], and first-order theorem proving methods, 
such as first-order resolution, can be used for this theory. Of course, first-order 
resolution with the axioms of this theory is much less efficient than higher-order 
resolution. However, we can try to understand higher-order resolution as a special 
automated theorem proving method designed for this theory. A motivation for 
this project is that it is very unlikely that such a method applies only to this 
theory, but it should also apply to similar theories such as extensions of type 
theory with primitive recursion or set theory. 

In [11], together with Th. Hardin and C. Kirchner, we have proposed a the- 
orem proving method for first-order logic, called resolution modulo, that when 
applied to a first-order presentation of type theory simulates exactly higher-order 
resolution. Proving the completeness of this method has required to introduce 
a new presentation of first-order logic, called deduction modulo that separates 
clearly computation steps and deduction steps. 

Resolution modulo can be applied both to type theory and to set theory. 
The goal of this note is to compare how resolution modulo works for one theory 
and the other. In order to remain self contained, we will first present shortly the 
ideas of deduction modulo and resolution modulo. 



R. Caferra and G. Salzer (Eds.): Automated Deduction, LNAI 1761, pp. 1—22, 2000. 
(c) Springer- Verlag Berlin Heidelberg 2000 




2 



Gilles Dowek 



1 Resolution Modulo 



1.1 Deduction Modulo 

In deduction modulo, the notions of language, term and proposition are that of 
(many sorted) first-order logic. But, a theory is formed with a set of axioms r 
and a congruence = defined on propositions. In this paper, all congruences will 
be defined by confluent rewrite systems (as these rewrite systems are defined on 
propositions and propositions contain binders, these rewrite systems are in fact 
combinatory reduction systems [23]). Propositions are supposed to be identified 
modulo the congruence =. Hence, the deduction rules must take into account 
this equivalence. For instance, the modus ponens cannot be stated as usual 

A => B A 
B 



but, as the two occurrences of A need not be identical, but need only to be 
congruent, it must be stated 



A' => B 
B~ 



A 

— if A = A' 



In fact, as the congruence may identify implications with other propositions, a 
slightly more general formulation is needed 



C A 
B 



if C = A => B 



All the rules of natural deduction or sequent calculus may be stated in a similar 
way, see [11,13] for more details. 

As an example, in arithmetic, in natural deduction modulo, we can prove 
that 4 is an even number: 



\/x x = 
2x2 = 4 



■ axiom 



3a; 2 x x = 4 



(x, x = x, 4) V-elim 
(i,2xi = 4, 2) 3-intro 



Substituting the variable x by the term 2 in the proposition 2 x x = 4 yields the 
proposition 2x2 = 4, that is congruent to 4 = 4. The transformation of one 
proposition into the other, that requires several proof steps in natural deduction, 
is dropped from the proof in deduction modulo. It is just a computation that 
need not be written, because everybody can re-do it by him/lrerself. 

In this case, the congruence can be defined by a rewriting system defined on 
terms 

0 + y — > y 
S(x) + y — > S(x + y) 

0 x y — > 0 
S(x) x y 



xxy + y 




Automated Theorem Proving in First-Order Logic Modulo 



3 



Notice that, in the proof above, we do not need the axioms of addition and 
multiplication. Indeed, these axioms are now redundant: since the terms 0 + y 
and y are congruents, the axiom Vy 0 + y = y is congruent to the equality axiom 
Vy y = y- Hence, it can be dropped. In other words, this axiom has been built-in 
the congruence [26,1,30]. 

The originality of deduction modulo is that we have introduced the possibility 
to define the congruence directly on propositions with rules rewriting atomic 
propositions to arbitrary ones. For instance, in the theory of integral rings, we 
can take the rule 

x x y = 0 — > x = 0 V y = 0 

that rewrites an atomic proposition to a disjunction. 

Notice, at last, that deduction modulo is not a true extension of first-order 
logic. Indeed, it is proved in [11] that for every congruence =, we can find a 
theory T such that T b P is provable modulo = if and only if TT b P is 
provable in ordinary first-order logic. Of course, the provable propositions are 
the same, but the proofs are very different. 

1.2 Resolution Modulo 

When the congruence on propositions is induced by a congruence on terms, au- 
tomated theorem proving can be performed like in first-order logic, for instance 
with the resolution method, provided the unification algorithm is replaced by 
an equational unification algorithm modulo this congruence. Equational unifica- 
tion problems can be solved by the narrowing method [15,21,22]. The method 
obtained this way, called equational resolution [26,30], is complete. 

The situation is different when the congruence identifies atomic propositions 
with non atomic ones. For instance, in the theory of integral rings, the proposi- 
tion 

axa = 0=»a = 0 
is provable because it reduces to 

(a = 0Va = 0)=>a = 0 



Hence the proposition 

By (a x a = y => a = y) 

is also provable. But, with the clausal form of its negation 

a x a = Y 
—<a = Z 

we cannot apply the resolution rule successfully, because the terms a x a and a 
do not unify. 

Hence, we need to introduce a new rule that detects that the literal ax a = Y 
has an instance that is reducible by the rewrite rule 



x x y = 0 



x = 0 V y = 0 




4 



Gilles Dowek 



instantiates it, reduces it and puts it in clausal form again. We get this way the 
clause 

a = 0 

that can be resolved with the clause ~^a = Z. 

Hence, the rewrite rules have to be divided into two sets: the set 8 of rules 
rewriting terms to terms that are used by the equational unification algorithm 
and the set of rule 1Z rewriting atomic propositions to arbitrary ones and that are 
used by this new rule called extended narrowing. The system obtained this way 
is called extended narrowing and resolution or simply resolution modulo. Figure 
1 gives a formulation of this method where unification problems are postponed 
as constraints. A proposition is said to be provable with this method when, from 



Extended resolution: 

{Ai, . . . , A n , Bi, . . . , B m }/Ei {- 1 C 1 , . . . , -i C p , Di , . . . , D q } /E? 
{B \ , . . . , B m , Di, . . . , D q }/Ei U£ 2 U {Ai =s ■ ■ ■ A„ =s C\ =e . . . C p } 



Extended narrowing: 



C/E 

d(C[r} p )/(EU{C lp 



=s 0) 



if/ 



r £ 1Z 



Fig. 1. Resolution modulo 



the clausal form of its negation, we can deduce an empty clause constrained by 
a £-unifiable set of equations. 

Transforming axioms into rewrite rules enhances the efficiency of automated 
theorem proving as shown by this very simple example. 

Example. To refute the theory P\ <f=> ( Qi V P 2 ), ■■■, Pi <f=> (Qi+i V Pi+i), ■■■, 
Pn (Qn+ 1 V p„+i), Pi, Q 2 <G> _L, ..., Qn+1 -L, P n +i 4=> JL, resolution yields 
4 n + 2 clauses 

^Pi ■ Q'i- P2 
Pi 

-P 2 ,Pl 



1 1 > i ■ Qi+ 1, Pz+1 
1 5 Pz 
^P-i+i ■ P( 



Pm Qn+h Pn + 1 





Automated Theorem Proving in First-Order Logic Modulo 



5 



~~ ’Qn+li Pn+\ 

~ n Pn+ li Pn+1 

Pi 

Q2 



~^Qn+ 1 

~'Pn + 1 

While, in resolution modulo, the propositions Pi <t=> (Qi+ 1 V -Pi+i), Qi J_ and 
P n +\ -O- _L can be transformed into rewrite rules 

Pi — > Qi+i V P l+1 



Qi — » X 
Pn + 1 * X 

The only proposition left is P\. It reduces to _L V ... V _L and its clausal form is 
hence the empty clause. 

Of course, reducing the proposition Pi has a cost, but this cost is much lower 
than that of the non deterministic search of a refutation resolution with the 
clauses above. Indeed, the reduction process is deterministic because the rewrite 
system is confluent. 



1.3 Cut Elimination and Completeness 

Resolution modulo is not complete for all congruences. For instance, take the 
congruence induced by the rewrite rule 

A — > A=> B 



The proposition B has a proof in sequent calculus modulo 



B h B 



Ah A 



axiom 



A,BhB 



axiom 
weak. -left 



A,AhB 
Ah B 



>-left 



B h B 



b A 



contr.-left 

bright 



Ah A 



axiom 



A,Bh B 



axiom 
weak. -left 



A,AhB 



>-left 



Ah B 



contr.-left 



b B 



■ cut 



but it is not provable by resolution modulo. Indeed, the clausal form of the 
negation of the proposition B is the clause 



->R 



and neither the extended resolution rule nor the extended narrowing rule can be 
applied successfully. 




6 



Gilles Dowek 



However, it may be noticed that the proposition B has no cut free proof in 
sequent calculus modulo. Hence sequent calculus modulo this congruence does 
not have the cut elimination property. We have proved in [11] that resolution 
modulo is complete for all congruences = such that the sequent calculus modulo 
= has the cut elimination property. Together with B. Werner, we have proved 
in [13] that cut elimination holds modulo a large class of congruences and con- 
jectured that it holds modulo all congruences that can be defined by a confluent 
and terminating rewrite system. 

When cut elimination does not hold, only propositions that have a cut free 
proof are proved by resolution modulo. 



2 Simple Type Theory and Set Theory 

2.1 Simple Type Theory 

Simple type theory is a many-sorted first-order theory. The sorts of simple type 
theory, called simple types , are defined inductively as follows. 

— l and o are simple types, 

— if T and U are simple types then T — > U is a simple type. 

As usual, we write T\ T n — > U for the type T\ — » ... (T n — » U). 

The language of simple type theory contains the individual symbols 

— S T ,u,v of sort (T — > U -> V) -> (T — > U) -> T — > V, 

— Kt,u °f sort T — > U — > T, 

— V of sort o — > o — > o, 

— A of sort o — > o 1 

Vt of sort (T — > o) — > o, 

the function symbols 

— olt,u °f rank (T — > U, T, U), 
and the predicate symbol 

— e of rank (o). 

As usual, we write (t u) for the term a(t, u) and (t u\ ... u n ) for (■■■(t ui) ... u n ). 

Usual presentations of simple-type theory [6,2] define propositions as terms 
of type o. But, as we want type theory to be a first-order theory, we introduce 
a predicate symbol e that transforms a term of type o into a genuine proposi- 
tion. Then, we need an axiom relating the proposition e(a(a(V,x),y)) and the 
proposition e( x) V e(y). For instance, the axiom 



\/x \/y (e(V x y) <t=> (e(x) V e(y))) 




Automated Theorem Proving in First-Order Logic Modulo 



7 



(S x y z) — > (x z (y z)) 

(K x y) — > x 
e(A x) — > -ie(x) 
e(V x y ) — ♦ e(x) V e{y) 
e(V x) — ♦ Vy e(x y) 

Fig. 2. Rewriting rules for simple type theory 



This axiom can be built in the congruence, if we take the rewrite rule 

e(V x y) — ► e(x) V e(y) 

This leads to the rewrite system of the figure 2. This rewrite system is confluent 
because it is orthogonal and we prove in [10] that it is strongly normalizing. 
Hence, the congruence is decidable. 

It is proved in [13] that deduction modulo this congruence has the cut elimi- 
nation property, i.e. every proposition provable in sequent calculus modulo this 
congruence has a cut free proof. 



2.2 Set Theory 



The language of Zermelo’s set theory is formed with the binary predicate symbols 
£ and =. This theory contains the axioms of equality and the following axioms, 
pair: 

Vx Vy 3 z \/w (w £ z (w = x V w = y)) 



union: 



Vx By Vw (w £ y <t=> Bz (w £ z A 2 £ x)) 



power set: 



Vx By Vw (w £ y Vz (z £ w => z £ x)) 



subset scheme: 



Vxi...Vx„ Vy Bz Vw (w £ z <t=> (w £ y A P)) 
where xi, ..., x n are the free variables of P minus w. 

To these axioms, we may add the extensionality axiom, the foundation axiom, 
the axiom of infinity, the replacement scheme and the axiom of choice. 

To have a language for the objects of the theory we may skolemize these 
axioms introducing the function symbols {}, (J, 'P and f Xl ,...,x n ,w,p- We then 
get the axioms 



Vx Vy Vw (w £ {}(», y) <*=> (w = x V w = y)) 





Gilles Dowek 



\/x \/w (w £ [J(a;) <t=> 3z (w £ z A 2 £ x)) 

Vx Vw (w £ V(x) <t=> Vz (z £ w =$■ z £ x)) 

\/x 1 ...\/x n Vy Vw (to G f Xl ,...,x n ,w,p(x 1, y) <G> (w G y A P)) 

Then, these axioms may be built in the congruence with the rewrite system of 
figure 3. This rewrite system is confluent because it is orthogonal. But it does 



w G {}(*, y ) — ♦ w — x V w = y 
w G ^J(x) — ♦ 3z (w G z A z G *) 
w G V(x) — ♦ Vz (z G w => z G x) 
v G f Xl ,...,x n ,w,p(yi, -,yn,z) — >v£z A [yi/xi,...,y n /x n ,v/w\P 

Fig. 3. Rewriting rules for set theory 



not terminate. A counter-example is M. Crabbe’s proposition. Let C be the term 
{a; G a \ -<x G x} i.e. f w ,^wew(a)- We have 

iGC — » x £ a A -ix G x 



Hence, writing A for the proposition C G C and B for the proposition C £ a we 
have 

A — > B A —iA 

This permits to construct the infinite reduction sequence 

A — > B A —1 A — * B A ~'(B A — • <A) — > ... 



Up to our knowledge, the decidability of this congruence is open. 

Deduction modulo this congruence does not have the cut elimination prop- 
erty. A counter example is again Crabbe’s proposition (see [16,14] for a discus- 
sion) . As we have seen, this proposition A rewrites to a proposition of the form 
B A -’A. Hence, the proposition ~^B has the following proof 



Ah A 
A,B h A 
A, P, — 'A h 



axiom 



B h B 



axiom 



A, Ah 
~AT~ 
h ^A 
B I — 1 A 



weakening-left 
-•-left 
A-left 
contraction-left 
-•-right 

weakening-left 



Bh A 



A-right 

bT 

"F^P 



-•-right 



Ah A 
A, P h A 
A, P, ->A h 



axiom 



A, Ah 
Ah 



weakening-left 
-•-left 
A-left 
■ contraction-left 
■ cut 





Automated Theorem Proving in First-Order Logic Modulo 



9 



but it is easy to check that the proposition i.e. €= a, has no 

cut free proof. 

3 Resolution Modulo in Type Theory and in Set Theory 

3.1 Resolution Modulo in Type Theory 

In the rewrite system of figure 2, the first two rules 

(S x y z) — > (x z (y z )) 

(K x y) — > x 

rewrite terms to terms and are used by the unification algorithm. The three 
others 

e(A x) — > ->e(x) 
e(V x y) — ► e(x) V e(y) 
e(V x) — > Vy e(x y) 

rewrite propositions to propositions and are used by the extended narrowing 
rule. 

Equational unification modulo the rules S and K is related to higher-order 
unification. Actually since the reduction of combinators is slightly weaker than 
the reduction of A-calculus, unification modulo this reduction is slightly weaker 
than higher-order unification [8]. To have genuine higher-order unification, we 
have to take another formulation of type theory using explicit substitutions 
instead of combinators (see section 5). 

The extended narrowing modulo the rules A, v and V is exactly the splitting 
rule of higher-order resolution. A normal literal unifies with the left member of 
such a rule if and only if its head symbol is a variable. 

The skolemization rule in this language is related to the skolemization rule 
of type theory. When we skolemize a proposition of the form 

Vx 3 y P 

we introduce a function symbol / of rank (T, U) where T is the type of x and 
U the type of y (not an individual symbol of type T — > U) and the axiom 

Vx [f(x)/y\P 

Hence, the Skolem symbol / alone is not a term, but it permits to build a term 
of type U when we apply it to a term of type T. This is, in essence, the higher- 
order skolemization rule, but formulated for the language of combinators and 
not for A-calculus. Again, we have the genuine higlrer-order skolemization rule 
if we use the formulation of type theory using explicit substitutions instead of 
combinators (see section 5). 




10 



Gilles Dowek 



3.2 Resolution Modulo in Set Theory 

In set theory, there is no rule rewriting terms to terms. Hence, unification in 
set theory is simply first-order unification. Converselly, all the rules of figure 

3 rewrite propositions to propositions and thus the extended narrowing is per- 
formed modulo all theses rules. 

In set theory, resolution modulo is incomplete. We have seen that the propo- 
sition 

has a proof in set theory, but it cannot be proved by the resolution modulo 
method. Indeed, from the clausal form of its negation 

we can apply neither the resolution rule nor the extended narrowing rule suc- 
cessfully. 

4 On the Differences between Set Theory and Type 
Theory 

4.1 Termination 

The first difference between resolution modulo in type theory and in set theory is 
that the rewrite system is terminating in type theory and hence all propositions 
have a normal form, while some propositions, e.g. Crabbe’s proposition, have no 
normal form in set theory. 

Hence, during proof search, we can normalize all the clauses while this is 
impossible in set theory. Formally, the method modified this way requires a 
completeness proof. 

4.2 Completeness 

Another difference is that, as type theory verifies the cut elimination property, 
resolution modulo this congruence is complete, while it is incomplete modulo 
the congruence of set theory. 

A solution to recover completeness may be to use an automated theorem 
proving method that searches for proofs containing cuts. For instance if we add 
a rule allowing to refute the set of clauses S by refuting both the set 5U{^P} 
and the set {P} then we can refute the proposition B above. 

Another direction is to search for another presentation of set theory or for 
a restriction of this theory that enjoys termination and cut elimination. We 
conjecture that if we restrict the subset scheme to stratifiable propositions in the 
sense of W.V.O. Quine [27], we get a restriction of set theory that is sufficient to 
express most mathematics, that terminates and that verifies the cut elimination 
property. The cut elimination and completeness results obtained by S.C. Bailin 
[4,5] for his formulation of set theory let this conjecture be plausible. 




Automated Theorem Proving in First-Order Logic Modulo 



11 



4.3 Typing Literals 

A minor difference is that when we try to prove a theorem of the form “for all 
natural numbers x, P(x) v , we have to formalize this theorem by the proposition 

\/x (x £ N => P(x)) 

in set theory. In contrast, in type theory, we can choose to take t for the type of 
natural numbers and state the theorem 

Vx P(x ) 

During the search, in set theory, extra literals of the form x £ N appear and 
have to be resolved. 

4.4 The Role of Unification and Extended Narrowing 

In resolution modulo, like in most other methods, the main difficulty is to con- 
struct the terms that have to be substituted to the variables. In resolution mod- 
ulo, these terms are constructed by two processes: the unification algorithm and 
the extended narrowing rule. 

The main difference between resolution modulo in type theory and in set 
theory is the division of work between the unification and the extended narrow- 
ing. In type theory, unification is quite powerful and the extended narrowing is 
rarely used. In contrast, in set theory, unification is simply first-order unification 
and all the work is done by the extended narrowing rule. 

This difference reflects a deep difference on how mathematics are formalized 
in a theory and the other. Indeed, the unification in type theory is rich because 
there are rules that rewrite terms to terms and these rules are there because the 
notion of function is primitive in type theory. When we have a function / and an 
object a we can form the term (/ a) and start rewriting this term to a normal 
form. In set theory, there is no such term and a term alone can never be reduced. 
Instead of forming the term (/ a) we can form a proposition expressing that b 
is the image of a by the function /, < a, b >£ /, that then can be rewritten. 

For example, in the proof of Cantor’s theorem we have a function / from a 
set B to its power set and we want to form Cantor’s set of objects that do not 
belong to their image. 

If x is an element of B, in type theory we can express its image (/ x), then 
the term of type o reflecting the proposition expressing that x belongs to its 
image (/ x x), the term of type o reflecting its negation A(/ x x) and then 
Cantor’s set Ax A(/ x x) that, with combinators, is expressed by the term 

C = (S (I< A) ( S ( S (K /) (S K K)) ( S K I<))) 

In contrast, in set theory, we cannot form a term expressing the image of x 
by the function /. Instead of saying that x does not belong to its image we have 
to say that it does not belong to any object that happens to be its image. 

C = {x £ B | Vy (< x, y >£ / => ->x £ y)} 




12 



Gilles Dowek 



This requires to introduce two more logical symbols => and V. These symbols 
cannot be generated by the unification algorithm and are generated by the ex- 
tended narrowing rule. 

It is not completely clear what is the best division of work between unification 
and extended narrowing. Experiences with type theory show that the unification 
algorithm is usually well controlled while the splitting rule is very productive. 
Loading the unification and unloading the extended narrowing seems to improve 
efficiency. 

However, two remarks moderate this point of view. First, in type theory, 
the functions that can be expressed by a term are very few. For instance, if 
we take the type i for the natural numbers and introduce two symbols O and 
Slice for zero and the successor function, we can only express by a term the 
constant functions and the functions adding a constant to their argument. The 
other functions are usually expressed with the description operator (or the choice 
operator) and hence as relations. We may enrich the language of combinators 
and the rewrite system, for instance with primitive recursion, but then it is not 
obvious that unification is still so well controlled. 

Another remark is that having a decidable and unitary unification (such as 
first-order unification) permits to solve unification problems on the fly instead 
of keeping them as constraints. This permits to restrict the use of the extended 
narrowing rule. For instance, in type theory, when we have a literal e(P x) and 
we apply the extended narrowing rule yielding two literals e(A) and e{B) and a 
constraint 

e{P x) = e(AvB) 

we keep this constraint frozen and we may need to apply the extended narrowing 
rule to other literals starting with the variable P. In contrast, in set theory, if 
we have a literal x € P and we apply the extended narrowing rule yielding 
two literals y = a and y = b and a constraint (x £ P) = (y € {a, b}). The 
substitution {a,b}/P can be immediately propagated to all the occurrences of 
P initiating reductions that let the extended narrowing steps be useless. 

5 Advanced Formulations of Type Theory and Set 
Theory 

As an illustration of this discussion, we want to compare resolution modulo 
proofs of Cantor’s theorem in type theory and in set theory. However, the pre- 
sentations of type theory and set theory above are a little too rough to be really 
practicable. In both cases, we shall use a more sophisticated presentation where 
the language contains a full binding operator. 

Indeed, in type theory, we want to express Cantor’s set by the term 

C = Xx A(/ x x) 

and not by the term 

C = (S (K A) ( S ( S (I< /) ( S K K)) ( S K K))) 




Automated Theorem Proving in First-Order Logic Modulo 



13 



Similarly, in set theory we want to express this set as 

C = {x G B | My (< x, y >£ R => ->x £ y)} 

where < x, y > is a notation for the set {{at, y}, {tc}} he. (}({}(aj, y), {}(#, a;)), 
and not by the term 

C = {x £ B \ My (Mu ((Mv (v £ u <=> (Mw (w £ v 

<t=> (w = x V w = y)) V Mw (w £ v w = x)))) => u £ R) => ~<x £ y)} 1 
For type theory, such a first-order presentation with a general binding opera- 
tor has been proposed in [12]. It uses an expression of A-calculus as a first-order 
language based on de Bruijn indices and explicit substitutions. In this presenta- 
tion, the sorts are of the form r b T or B h A where T is a simple type and r 
and A are finite sequences of simple types. The language contains the following 
symbols 

— l { of sort Ar b A, 

— a ^ B of rank (T b A — > B, r b A, T b B), 

— B of rank (Ar b B, r b A — > B), 

— []^' r ' of rank r' b A, T b T' , T b A), 

— icl r of sort bbT, 

— of sort Ar b r, 

— r x r ‘ of rank (T b A, T b T', r b Ar'), 

— o r r 'r" of rank (T b T", F" b T', T b T'), 

— V of sort bo-40-»o, 

— A of sort bo — > o, 

— Vt of sort b (T — > o) — > o, 

— £ of rank (b o). 

And the rewrite system is that of figure 4. 

A formulation of set theory with a general binder has been given in [9] . But 
it is not expressed in a first-order setting yet. Waiting for such a theory, for the 
example of Cantor’s theorem, we add a constant C and an ad hoc rewrite rule 

x £ C — > x £ B A\/y (< x, y >£ R => -<x £ y) 



1 In the presentation of set theory above, there is no instance of the subset scheme for 
the proposition 

My (< x, y >£ R => -<x £ y) 

because it contains Skolem symbols. Hence, we replace the proposition < x, y >£ R 
by the equivalent one 

Vu ((Vv (v £ u (Vui (w £ v (w — x V w = y)) V Vui (w £ v <=> w — x)))) => u E R) 

Then we can build the set C with the function symbol introduced by the skolemiza- 
tion of this instance of the scheme. The proposition x £ C is then provably equivalent 
to x £ B A Vy (< x,y >£ R =» ->x £ y) but it does not reduce to it. 




14 



Gilles Dowek 



/1-reduction and ^-reduction: 

(. Xa)b — > ci[b.id] 

X (a 1) — + b if a = a 6[T] 

cr-reduction: 

(a 6)[s] — + (o[s] b[s\) 
l[o.s] — > a 
a[id] — > a 

(Xa) [s] — A(o[.l.(s o t)]) 

(o[s])[t] — > o[s o t] 
id o s — > s 
t o (a.s) — > s 

(si o s 2 ) o s 3 — > si o (s 2 O S3) 

(a.s) o t — > a[t].(s o t) 
so id — ♦ s 
1. | — ♦ id 
l[s].(T os) — > s 

reduction of propositions: 

e(V x y) — > e{x) V e{y) 

x) — » _, e(*) 
e(V T x) — ♦ My e(x y) 

Fig. 4. The rewrite rules of type theory with explicit substitutions 



6 Three Proofs of Cantor’s Theorem 

We now give three resolution modulo proofs of Cantor’s theorem that there is no 
surjection from a set to its power set. The first is in type theory with a function 
expressing the potential surjection from a set to its power set. The second is also 
in type theory, but this potential surjection is expressed by a relation. The last 
one is in set theory and the surjection is, of course, expressed by a relation. 

Automated theorem proving for Cantor’s theorem in type theory is discussed 
in [17,18,3], 

6.1 In Type Theory with a Function 

In type theory, a set is expressed by a term of type T — > o. Here, we choose 
to consider only the set of all objects of type 1 . Its power set is the set of all 







Automated Theorem Proving in First-Order Logic Modulo 



15 



objects of type i — > o. Hence we want to prove that there is no surjection from 
the type i to i — > o. The first solution is to represent this potential surjection 
by a function / of type i — > 4 — > o. The surjectivity of this function can be 
expressed by the existence of a right-inverse g to this function, i.e. a function of 
type (4 — > o) — > l such that for all x, (/ ( g x)) = x. Using Leibniz’ definition of 
equality this proposition is written 

Vx Vp (s(p (/ (g x))) e(p x)) 

Putting this proposition in clausal form yields the clauses 

MP (/ (5 *))),e(P X) 

e(Q (/ ( g Y) 

The search is described on figure 5. It returns the empty clause constrained by 




the equations 

(P X) = AP 

(Q Y) = AS 

(P (/ ( g X ))) = R 

(Q (/ ( g Y))) = S 

(P (/ {g X))) = ( Q (/ ( g Y))) 

that have the solution 



X = Y = AA[t](/[T] 1 1) 

P = Q = A(1 ( 5 [t] AA[f](/[T 2 ] 1 1))) 

R = S = (f(g AA[t](/[T] 1 1)) (g AA[t](/[T] 1 1))) 





16 



Gilles Dowek 



6.2 In Type Theory with a Relation 

Instead of using the primitive notion of function of set theory, we can code the 
functions as functional relations P of type t — > {t — > o) — > o. The surjectivity 
and functionality of this relation are expressed by the propositions 

E :\/y 3x e(R x y) 



F :\/xVy \/z (e(R x y) => e(R x z) => Vp (s(p y) <G> e{p z))) 

Putting these propositions in clausal form yields the clauses 

e(R g(U ) U) 

-.e(P X Y),->e(R X Z),->e{P Y),e(P Z) 

->e(R X Y),->e(R X Z),^e{P Z),e{P Y) 

The search is then described on figure 6 where we simplify the constraints 
and substitute the solved constraints at each step. It returns the empty clause 
constrained by the equations 

(. P Y) = H/G\ 

(Gi W\) = R(R 5 (t/i) t/i)V-VG 2 
(G 2 j/i) = ^A 2 V^B 2 
(Gi W[) = ^A 2 \/^B 2 
(P Y) = H/G 3 

(G 3 y 2 ) = HR g(Y') Z')W^B 3 
( P Z') = -P 3 
(P Y’) = Hg 4 

(G 4 W 2 ) = HR g(U 2 ) U 2 )vH/G 5 
(G e 2/3) = ^A 5 W^B 5 
(G 4 W2) = -^a 5 \/^b 5 

that have the solution 

P=A^[T ](1 ( 5 (G)[TD) 

Gi = g 2 = g 3 = g 4 = g 5 = A(^[T](P[T] <?(G)[T] 1 )V[T]-[T ](1 s(C)[t])) 

Y = W\ = U\ =Y' = W 2 = U 2 = C 
W{ = 2/1 
z' = y 2 

W 2 — 2/3 

A 2 = (R g(C) 2/1) 
s 2 = (2/1 3(G)) 

^3 = (2/2 5(G)) 

Al 5 = (P 5 (C) 33) 

B5 = (2/3 fl(C')) 

where G = Ax VAy (^(P a; y)V^ , (y x)), 
i.e. A V[T]A (-[T 2 ](P[T 2 ] 2 l)V[t 2 ]-[T 2 ](l 2 )). 




Automated Theorem Proving in First-Order Logic Modulo 



17 





1 






e(P fl (I 7 ) C 7 ) 




2 






-,e(P A' y), ->e(R X Z),^e(P Y),e(P Z) 




3 






-,e(P A y),-.e(P X Z),->e(P Z),e(P Y) 




4 


res. 


(1,2) 


-ie(R g(Y) Z),-,s(P Y),e(P Z) 




5 


res. 


( 1 , 4 ) 


-<£(P Y),s(P Y) 




6 


five 


narr. ( 5 ) 


-,e(Ai) 


, -ie(Bi),e(P y)/ci,c 2 




7 


res. 


(6,1) 


MBi) 


,e(P y)/cr,ci 




8 


four 


narr. (7 


e(A 2 ), 


;(P F)/cr,C2,c 3 




9 






e(-B 2 ), 


:(P y)/cr,C2,c 3 




10 


renaming (6' 




,^£(B(),£(P y)/cr,C4 




11 


res. 


(10,8) 


MB'i) 


,e(P y)/cr,C2,c 3 ,C4 




12 


res. 


( 11 , 9 ) 


s(P Y)/ Cl ,c'l,c 3 ,c'l 




13 


five 


narr. (12) e ( A 3 )/ c \, c 2 , c 3 , c'l, c 5 , eg 




14 






£( B 3 )/ ci , C 2 , C 3 , C4, C5, C6 




15 


renaming ( 4 ' 


-e(P g(Y') Z')^£(P Y'),£(P Z') 




16 


res. 


( 15 , 13 ) 


MP Y'),£{P Z')/cr, c£, c 3 , 4 ', c 5 , c' 6 




17 


narr. ( 16 ) 


^e(P y'), _ 'e(< 3 )/cr, C2 , C3, C4, C5, Cg, C7 




18 


res. 


( 17 , 14 ) 


-,e(P y')/ci,C2, C3, C4, C5, Cg, C7 




19 


five 


narr. ( 18 ) -^(A*) 


, -ie(P4)/ci, C2, C3, C4, C5, Cg, C7, C8, Cg 




20 


res. 


( 19 , 1 ) 


-,g(P4)/ci, C2, C3, C4, C5, Cg, C7, C8, Cg 




21 


four 


narr. ( 20 ) e(A 5 )/ci, c 2 , c 3 , c'l, c 5 , Cg, c' 7 , c 8 , Cg, cio 




22 






e(^B§ ) /ci 5 C2 5 C3 5 C4 , C5 5 Cq , Cy , C8 5 Cg , Cio 




23 


renaming ( 19 ) -<£{A'^ 


, ->e(B' 4 )/c i , c 2 , C3 , C4, C5 , Cg, C7, C8, cir 




24 


res. 


( 23 , 21 ) 


^e(B' 4 )/ci,c'l, c 3 , c'l, C5, Cg, C7, C8, Cg, cio, c'n 




25 


res. 


( 24 , 22 ) 


D /ci 5 C2 5 C3 5 C4 , C5 5 Cq , Cy , Cg , Cg , ClO 5 C \\ 


with 


















cr 


(p y) = 


AVGi 








C2 


(Gr Wi) 


= AAiVAPj 








C2 


(Gi ITi) 


= -(P ff (C/r) C 7 i)VABr 








C2 


(Gr Wi) 


= A(P fl ({ 7 r) Pi)VAVG 2 








C 3 


(G 2 J/i ) = 


= - L 'A2V^B2 








C 4 


(Gr W[) 


= aa;vap; 








C4 


(Gr VF[) 










c'l 


(Gr ITi') 


= ~ L 'A2\/'^B2 








C 5 


(P y) = 


AVG3 








C6 


(G3 2/2) = 


= AA3VAP3 








c 6 


(G3 2/2) = 


= -(p s(y') z')v-p 3 








C 7 


(P Z') = 










C 7 


(P Z') = 


AP3 








C8 


(P y') = 


— 'Wr 4 








C 9 


(G 4 W 2 ) 


= ~ 1A4 V - 1^4 








c 9 


(G 4 Wi) 


= -(P s(C 7 2 ) P 2 )VAP 4 








c 9 


(G 4 W 2 ) 


= A(P 5 (C 7 2 ) P 2 )V- 5 VG 5 








cro 


(Gs 2/3) = 


= AA5VAP5 








err 


(G 4 WZ) 


cq 

•r 

> 

•r 

ll 








cir 


(G 4 wi) 


= AA5VAP4 








ci'r 


(G 4 W' 2 ) 


= AA5VAP5 




Fig. 6 . Cantor’s theorem in type theory with a relation 






18 



Gilles Dowek 



6.3 In Set Theory 

We consider a set B and a potential surjection from this set to its power set. We 
express this potential surjection by a set R. The surjectivity and functionality 
of this set are expressed by the propositions 

E : Vy (y G V(B) => (x G BA < x,y >G R)) 

F : Vx Vy \/z (< x, y >G R =>< x, z >G R => y = z) 

We use also the axiom of equality 

L : \/z \/x \/y (x = y => ->z G x => ->z G y) 

The proposition E reduces to the proposition 

Vu (Vy (y G u => y G I?)) => (x € BA < x,u >€ I?)) 

Putting this proposition in clausal form yields the clauses 

y{U) G U, < g{U), U >G I? 

- y(U)£B,<g(U),U>£R 
V {U) G U,g(U) G B 
~^y{U) G B,g(U) G B 

The two other propositions yield the clauses 

-n < X,Y >G R^ < X, Z >G R,Y = Z 

->x = y, z g x, ~^z g y 

The search is described on figure 7 where we simplify the constraints and 
substitute the solved constraints at each step. Propagating the solved constraints 
may lead to new reductions that require to put the proposition in clausal form 
again. This explains that some resolution steps yield several clauses. It returns 
the empty clause. 

6.4 Remarks 

The termination and completeness issues are not addressed by these examples 
because, even in set theory, Cantor’s theorem has a cut free proof and the search 
involves only terminating propositions. 

The proof in set theory is longer because several steps are dedicated to the 
treatment of typing literals that are repeatedly resolved with the clause (12). 

In type theory with a function, only two extended narrowing steps are needed 
to generate the symbol G in the term A ^[T](/[T] 1 1) (i- e - A x G(/ x x)) that 
expresses Cantor’s set. In type theory with a relation, four extended narrowing 
steps are needed to generate the term A V[f]A (^[t 2 ](^[T 2 ] 2 l)V[t 2 ]G[| 2 ](l 2)) 




Automated Theorem Proving in First-Order Logic Modulo 



19 



1 






y{U) e u, < g(u), u >g r 


2 






— 3 (C) G 73, < g(U), U >G 7? 


3 






y(U)eU,g(U)£B 


4 






- y(U)£B,g(U)£B 


5 






-i < X,Y >G 77, - < X, Z >G R,Y = Z 


6 






-x = y, z g x, - z g Y 


7 


narr. ( 1 ) 


y(C) € B,< g(C), C >G R 


8 






- < y(C), W >G R, ->y(C) £ F,< g(C), C >G R 


9 


res. 


(7,2) 


< g(C), C >G R 


10 


narr. (3) 


y{C) £ 73, g(C) £ B 


11 






- < y(C), W >£ R, — j/(C) G W, g(C) £ B 


12 


res. 


(10,4) 


9(C) £ B 


13 


res. 


(9,5) 


- < g(C), Z >6 77, C = Z 


14 


res. 


(9,13) 


c = c 


15 


res. 


(14,6) 


Z G B,-Z G B,< Z,yi(Z) >G R 


16 






Z G 73, — Z G B, Z G yi(Z) 


17 






->< Z,Wi >£ 7?, — Z € Wi, — Z £ B,< Z, yi(Z) >£ 7? 


18 






- < Z, Wi >G 7?, -iZ G ITi.-Z G B,Ze yi (Z) 


19 


res. 


(17,9) 


- 3 (C) £ B,< g(C), 32 >G 77, < fl (C), yi(g(C)) >G 77 


20 






- 3 (C) € 73, 3 (C) G 32 , < 3 (C), 31 ( 3 (C)) >G 77 


21 


res. 


(19,12) 


< 3 (C), 32 >G 77, < 3 (C), 31 ( 3 (C)) >G 77 


22 


res. 


(20, 12) 


3 (C) G 32 , < 3 (C), 3 i ( 3 (C)) >G 77 


23 


res. 


(18,9) 


- 3 (C) G 73, < 3 (C), 33 >£ 77, 3 (C) G 31 ( 3 (C)) 


24 






- 3 (C) G 73, 3 (C) G 33 , 3 (C) G 31 ( 3 (C)) 


25 


res. 


(23, 12) 


< 3 (C), 33 >G 7 ?, 3 (C)G 31 ( 3 (C)) 


26 


res. 


(24, 12) 


3 (C) G 33 , 3 (C) G 31 ( 3 (C)) 


27 


res. 


(17,21) 


- 3 (C) G 32 , - 3 (C) G 73, < 3 (C), 31 ( 3 (C)) >G 77 


28 


res. 


(27, 12) 


- 3 (C) G 32 , < 3 (C), 31 ( 3 (C)) >G 77 


29 


res. 


(28,22) 


< 3 (C), 31 ( 3 (C)) >G 77 


30 


res. 


(18,25) 


- 3 (C) G 33 , - 3 (C) G 73, 3 (C) G 31 ( 3 (C)) 


31 


res. 


(30, 12) 


-3(C) G 33, 3(C) G 31 (3(C)) 


32 


res. 


(31,26) 


3 (C) G 31 ( 3 (C)) 


33 


res. 


(29, 13) 


C = 31 ( 3 (C)) 


34 


res. 


(33,6) 


Z G 73, iZ G 31 ( 3 (C)) 


35 






-< Z,W 2 >G 77, -ZG W 2 ,-Zg 31 ( 3 (C)) 


36 


res. 


(35,32) 


- < 3 (C), W 2 >G 77, - 3 (C) G W 2 


37 


res. 


(36,9) 


- 3 (C) G 73, < 3 (C), 34 >G 77 


38 






-3(C) G 73, 3 (C) G 34 


39 


res. 


(37, 12) 


< 3 (C), 34 >G 77 


40 


res. 


(38, 12) 


3 (C) G 34 


41 


res. 


(36,39) 


- 3 (C) G 34 


42 


res. 


(41,40) 


□ 






Fig. 7 . Cantor’s theorem in set theory 




20 



Gilles Dowek 



(i.e. Ax VA y (^( R x 2 /)VA(y x))) that expresses Cantor’s set. The term expressing 
Cantor set is thus mostly constructed by the unification algorithm in the first 
case and mostly constructed by the extended narrowing rule in the second. In 
set theory, like in type theory with a relation, the term expressing Cantor’s set 
is mostly constructed by the extended narrowing rule. 

In this case, a single step is needed because we have taken the ad hoc rule 

x € C — ► x e B A Vy (< x, y >€ R => ->x € y) 

But in a reasonable formulation of set theory several steps would be needed. 

Notice, at last, that in the proof in type theory with a relation, the term 
expressing Cantor’s set is constructed several times, because the constraints are 
frozen while in set theory, because the constraints are solved on the fly, this 
term is constructed only twice and propagated. To avoid this redundancy in 
type theory with a relation, it would be a good idea to solve as soon as possible 
the constraints ci and C 2 . 



7 Conclusion 

Using a single automated theorem proving method for type theory and for set 
theory permits a comparison. 

Although the use of a typed (many-sorted) language can be criticized, type 
theory has several advantages for automated theorem proving: typing permits 
to avoid typing literals, it enjoys termination and cut elimination, and the pos- 
sibility to form a term (fa) expressing the image of an object by a function 
avoids indirect definitions. 

This motivates the search of a type-free formalization of mathematics, that 
also enjoys termination and cut elimination and where functions are primitive. 



References 

1. P.B. Andrews. Resolution in type theory. The Journal of Symbolic Logic, 36, 3 
(1971), pp. 414-432. 

2. P.B. Andrews, An introduction to mathematical logic and type theory: to truth 
through proof, Academic Press (1986). 

3. P.B. Andrews, D.A. Miller, E. Longini Cohen, and F. Pfenning, Automating 
higher-order logic, W.W. Bledsoe and D.W. Loveland (Eds.), Automated theorem 
proving: after 25 years, Contemporary Mathematics Series 29, American Mathe- 
matical Society (1984), pp. 169-192. 

4. S.C. Bailin, A normalization theorem for set theory, The Journal of Symbolic 
Logic, 53, 3 (1988), pp. 673-695. 

5. S.C. Bailin, A A-unifiability test for set theory, Journal of Automated Reasoning, 
4 (1988), pp. 269-286. 

6. A. Church, A formulation of the simple theory of types, The Journal of Symbolic 
Logic, 5 (1940), pp. 56-68. 




Automated Theorem Proving in First-Order Logic Modulo 



21 



7. M. Davis, Invited commentary to [28], A.J.H. Morrell (Ed.) Proceedings of the In- 
ternational Federation for Information Processing Congress , 1968, North Holland 
(1969) pp. 67-68. 

8. D.J. Dougherty, Higher-order unification via combinators, Theoretical Computer 
Science, 114 (1993), pp. 273-298. 

9. G. Dowek, Lambda-calculus, combinators and the comprehension scheme, 
M. Dezani-Ciancaglini and G. Plotkin (Eds.), Typed Lambda Calculi and Applica- 
tions, Lecture notes in computer science 902, Springer- Verlag (1995), pp. 154-170. 
Rapport de Recherche 2565, INRIA (1995). 

10. G. Dowek, Proof normalization for a first-order formulation of higher-order logic, 
E.L. Gunter and A. Felty (Eds.), Theorem Proving in Higher-order Logics, Lecture 
notes in computer science 1275, Springer- Verlag (1997), pp. 105-119. Rapport de 
Recherche 3383, INRIA (1998). 

11. G. Dowek, Th. Hardin, and C. Kirchner, Theorem proving modulo, Rapport de 
Recherche 3400, INRIA (1998). 

12. G. Dowek, Th. Hardin, and C. Kirchner, HOL-Acr: an intentional first-order ex- 
pression of higher-order logic, to appear in Rewriting Techniques and Applications 
(1999). Rapport de Recherche 3556, INRIA (1998). 

13. G. Dowek and B. Werner, Proof normalization modulo, Rapport de Recherche 
3542, INRIA (1998). 

14. J. Ekman, Normal proofs in set theory, Doctoral thesis, Chalmers University of 
Technology and University of Goteborg (1994). 

15. M. Fay, First-order unification in an equational theory, Fourth Workshop on Au- 
tomated Deduction (1979), pp. 161-167. 

16. L. Hallnas, On normalization of proofs in set theory, Doctoral thesis, University 
of Stockholm (1983). 

17. G. Huet, Constrained resolution: a complete method for higher order logic, Ph.D., 
Case Western Reserve University (1972). 

18. G. Huet, A mechanization of type theory, International Joint Conference on Ar- 
tificial Intelligence (1973), pp. 139-146. 

19. G. Huet, A unification algorithm for typed lambda calculus, Theoretical Computer 
Science, 1,1 (1975), pp. 27-57. 

20. G. Huet, Resolution d’equations dans les Langages d’Ordre 1,2, ..., u>, These d’Etat, 
Universite de Paris VII (1976). 

21. J.-M. Hullot, Canonical forms and unification, W. Bibel and R. Kowalski (Eds.) 
Conference on Automated Deduction, Lecture Notes in Computer Science 87, 
Springer- Verlag (1980), pp. 318-334. 

22. J.-P. Jouannaud and C. Kirchner, Solving equations in abstract algebras: a rule- 
based survey of unification, J.-L. Lassez and G. Plotkin (Eds.) Computational 
logic. Essays in honor of Alan Robinson, MIT press (1991), pp. 257-321. 

23. J.W. Klop, V. van Oostrom, and F. van Raamsdonk, Combinatory reduction sys- 
tems: introduction and survey, Theoretical Computer Science, 121 (1993), pp. 279- 
308. 

24. D.A. Miller, Proofs in higher order logic, Ph.D., Carnegie Mellon University 
(1983). 

25. D.A. Miller, A compact representation of proofs, Studia Logica, 46, 4 (1987). 

26. G. Plotkin, Building-in equational theories, Machine Intelligence, 7 (1972), pp. 73- 
90. 




22 



Gilles Dowek 



27. W.V.O. Quine, Set theory and its logic, Belknap press (1969). 

28. J.A. Robinson. New directions in mechanical theorem proving. A.J.H. Mor- 
rell (Ed.) Proceedings of the International Federation for Information Processing 
Congress, 1968, North Holland (1969), pp. 63-67. 

29. J.A. Robinson. A note on mechanizing higher order logic. Machine Intelligence 5, 
Edinburgh university press (1970), pp. 123-133. 

30. M. Stickel, Automated deduction by theory resolution, Journal of Automated Rea- 
soning, 4, 1 (1985), pp. 285-289. 




Higher-Order Modal Logic — A Sketch 



Melvin Fitting 

Dept. Mathematics and Computer Science 
Lehman College (CUNY), Bronx, NY 10468, USA, 

f itting@alpha. lehman. cuny . edu 
WWW home page: http://math240.lehman.cuny.edu/fitting 



Abstract. First-order modal logic, in the usual formulations, is not suf- 
ficiently expressive, and as a consequence problems like Frege’s morning 
star/evening star puzzle arise. The introduction of predicate abstraction 
machinery provides a natural extension in which such difficulties can be 
addressed. But this machinery can also be thought of as part of a move 
to a full higher-order modal logic. In this paper we present a sketch of 
just such a higher-order modal logic: its formal semantics, and a proof 
procedure using tableaus. Naturally the tableau rules are not complete, 
but they are with respect to a Henkinization of the “true” semantics. We 
demonstrate the use of the tableau rules by proving one of the theorems 
involved in Godel’s ontological argument, one of the rare instances in the 
literature where higher-order modal constructs have appeared. A fuller 
treatment of the material presented here is in preparation. 



1 Introduction 

Standard first-order classical logic is so well behaved that concentration on it 
lulls the mind. The behavior of terms provides an instructive example. For one 
thing, classical terms are always defined — in every classical model all terms have 
values. But it is well-known that this convention leads to difficulties when definite 
descriptions are involved since, considered as terms, they don’t always denote. 
As Bertrand Russell noted, “The King of France is not bald” has two quite 
different, but equally plausible readings. First, it could mean that the King of 
France has the non-baldness property. This is false since non-existents don’t have 
properties — they don’t even have the non-existence property. Second, it could 
deny the assertion that the King of France has the baldness property. This is true 
because no bald King of France can be produced. The single string of English 
words has two possible logical formulations, and conventional first-order syntax 
cannot distinguish them. 

Russell’s solution to the problem was to introduce a scoping mechanism — it 
appears fully developed in Principia Mathematica. While he thought of it only in 
the context of definite descriptions, it is more generally applicable. Using more 
modern notation, we distinguish between a formula & and a predicate abstract 
( Xx.d > ) drawn from it. Thinking of B( x) as “x is bald,” and k as “King of France,” 
we can symbolize the two possible readings mentioned in the previous paragraph 
as (A x.^B(x))(k) and ->(Ax.B(x))(k). It can be shown that, with a reasonable 



R. Caferra and G. Salzer (Eds.): Automated Deduction, LNAI 1761, pp. 23—38, 2000. 
(c) Springer- Verlag Berlin Heidelberg 2000 




24 



Melvin Fitting 



semantics, these two are equivalent exactly when k denotes, so it is non-denoting 
terms that force us to use such machinery classically. 

Frege noted an analogous problem with intentional contexts, and introduced 
the notions of “sense” and “denotation” to deal with it. Roughly, this gives 
terms two kinds of values, what they denote, and what they mean. Of course 
this is loose. But the introduction of a scoping mechanism also turns out to be of 
considerable use here. This was done first in [7,9]. My colleague Richard Mendel- 
sohn and I developed the idea quite fully in [3] , and a highly condensed version is 
available in [2] . But suffice it to say that the notion of predicate abstraction sup- 
plies an essential missing ingredient for formal treatments of intentional logics, 
modal in particular, as well as for cases where terms can lack designations. 

Thinking further on the matter, I came to realize that even with predicate 
abstraction machinery added as outlined above, first-order modal logic is still not 
as expressive as one would like. And an informal illustration is easy to present. 

Assume the word “tall” has a definite meaning — say everybody gets together 
and votes on which people are tall. The key point is that the meaning of “tall,” 
even though precise, drifts with time. Someone who once was considered tall 
might not be considered so today. 

Now suppose I say, “Someday everybody will be tall.” There is more than one 
ambiguity here. On the one hand I might mean that at some point in the future, 
everybody alive will be a tall person. On the other hand I might mean that 
everybody now alive will grow, and so at some point everybody now alive will 
be a tall person. Let us read modal operators temporally, so that DA informally 
means that X is true and will remain true, and ()X means that X either is true 
or will be true at some point in the future. Also, let us use T(x ) as a tallness 
predicate symbol. Then the two readings of our sentence are easily expressed in 
conventional notation as follows. 



(Vx)OT(x) (1) 

0 (Vz)T(aO (2) 

Formula (1) refers to those alive now, and says at some point they will all be 
tall. Formula (2) refers to those alive at some point in the future, and asserts of 
them that they will be tall. All this is standard, and is not the ambiguity that 
matters here. The problem is with the adjective “tall.” Do we mean that at some 
point in the future everybody (read either way) will be tall as they use the word 
in the future, or as we use the word now? Standard possible world semantics for 
first-order modal logic is constrained to interpret formulas involving T at a world 
according to that world’s meaning of T. In fact, there is no way of formalizing, 
using standard first-order modal machinery, the assertion that, at some point in 
the future, everybody will be tall as we understand the term. But this is what 
is most likely meant if someone says, “Someday everybody will be tall.” 

The missing piece of machinery to disambiguate the sentence “Someday ev- 
erybody will be tall,” is abstraction, applied at the level of relation symbols, 




Higher-Order Modal Logic — A Sketch 



25 



rather than at the level of terms. We get the following six versions. 



(Vx)(AX0 X(x))(T) (3) 

(Vx)0(XX.X(x))(T) (4) 

(XX. 0 (\/x)X{x)){T) (5) 

0(Vx)(AX.X(x))(T) (6) 

(AX.(Vx)OX(x ))(T) (7) 

0(AX.(Vx)X(x))(T) (8) 



We will introduce semantics for interpreting these shortly, but for the time being 
we can provide informal readings. Once semantics have been introduced, it can 
be shown that item (7) is equivalent to (3), and item (8) is equivalent to (6), so 



we omit readings for them. 

It is true of everybody currently alive that they will be tall, (3) 

as we understand the word. 

It is true of everybody currently alive that they will be tall, (4) 

as the word is understood in the future. 

At some point in the future everybody then alive will be (5) 

tall, as we understand the word. 

At some point in the future everybody will be tall, as the (6) 

word is understood at that time. 



Essentially, in first-order modal logic as it has usually been formulated, all 
relation symbols are read as if they had narrow scope, and all constants as if 
they had broad scope. Thus it is as if (4) and (6) were meant by (1) and (2) 
respectively. There is no way of representing (3) or (5). The machinery for this 
representation makes for complicated looking formulas. But we point out, in 
everyday discourse all this machinery is hidden — we infer it from our knowledge 
of what must have been meant. 

Now, why not go the whole way? If we are going to introduce abstraction 
syntax for terms and for relation symbols, why not treat relation symbols as 
terms of a higher order. And then why not introduce the whole mechanism of 
higher-order logic, and do things uniformally all the way up. In fact, this is what 
we do. The following is a very brief sketch — a much fuller development is in 
preparation. 

2 Syntax 

In first-order logic, relation symbols have an arity. In higher-order logic this 
gets replaced by a typing mechanism. There are several ways this can be done: 
logical connectives can be considered primitive, or as constants of the language; 
a boolean type can be introduced, or not. We adopt a straightforward approach 
similar to the usual treatments of first-order logic. 




26 



Melvin Fitting 



Definition 1 (Type). 0 is a type. If ti, . . . ,t n are types, (t \, . . . , t n ) is a type. 
We systematically use t, t\, 1 2 , ti , etc. to represent types. 

For each type t we assume we have infinitely many constant and variable 
symbols of that type. We generally use letters from the beginning of the Greek 
alphabet to represent variables, with the type written as a superscript: a 1 , (3* , 7 *, 
.... Likewise we generally use letters from the beginning of the Latin alphabet as 
constant symbols, again with the type written as a superscript: A 4 , B 1 , C*, .... 
We take equality as primitive, so for each type t we assume we have a constant 
symbol =(*’*) of type (t,t). Generally types can be inferred from context, and 
so superscripts will be omitted where possible, in the interests of uncluttered 
notation. 

Sometimes it is helpful to refer to the order of a term or formula- first-order, 
second-order, and so on. Types will play the fundamental role, but order provides 
a convenient way of referring to the maximum complexity of some construct. 

Definition 2 (Order). The type 0 is of order 0. And if each of t\, . . . , t n is 
of order < k, with at least one of them being of order k itself, we say (t \, . . . , t n ) 
is of order k + 1 . 

When we talk about the order of a constant or variable, we mean the order 
of its type. Likewise, once formulas are defined, we may refer to the order of the 
formula, by which we mean the highest order of a typed part of it. 

Next we define the class of formulas, and their free variables. Unlike in the 
first-order version, the notion of term cannot be defined first; both term and 
formula must be defined together. And to define both, we need the auxiliary 
notion of predicate abstract which is, itself, part of the mutual recursion. 

Definition 3 (Predicate Abstract). Suppose T> is a formula and a\, . .., 

a n is a sequence of distinct variables of types t\, ..., t n respectively. We call 
(Aoq, . . . , a n .T>) a predicate abstract. Its type is {t \, . . . , t n ), and its free vari- 
able occurrences are the free variable occurrences in the formula T>, except for 
occurrences of the variables oq, . . . , a n . 

Definition 4 (Term). Terms of each type are characterized as follows. 

1. A constant symbol or variable is a term. If it is a constant symbol, it has no 
free variable occurrences. If it is a variable, it has one free variable occur- 
rence, itself. 

2. A predicate abstract is a term. Its free variable occurrences were defined 
above. 

We use t, with and without subscripts, to stand for terms. 

Definition 5 (Formula). The notion of formula is given as follows. 

1. If t is a term of type t = (t \, . . . , t n ), and t\, . . . , r„ is a sequence of terms 
of types t\, ..., t n respectively, then r(ri,...,r n ) is a formula. The free 
variable occurrences in it are the free variable occurrences of t, t\, . . . , r„. 




Higher-Order Modal Logic — A Sketch 27 

2. If T is a formula so is -><P. The free variable occurrences of ^<P are those of 
(p. 

3. If <P and T are formulas so is (<P AT). The free variable occurrences of (<P AT) 
are those of <P together with those of T . 

4- If tP is a formida and a is a variable then (\/a)T is a formula. The free 
variable occurrences of(\/a)<P are those of<P, except for occurrences of a. 

5. If T is a formula so is OT. The free variable occurrences ofOT are those of 
<P. 

We use V, D, 0, 3 as defined symbols, with their usual definitions. Also we 
use square and curly parentheses, in addition to the official round ones, to aid 
readability. In addition, since equality plays a fundamental role, we introduce a 
standard abbreviation for it. 

Definition 6 (Equality). Suppose T\ and tq. are variables of type t, and = is 
the equality constant symbol of type (t,t). We write (ti = r 2 ) as an abbreviation 
for = (ti,t 2 ). 



Example 1. For this example we give explicit type information (in superscripts), 
until the end of the example. In the future we will generally omit the superscripts, 
and say in English what is needed to fill them in. 

Suppose x°, and A^ 0 ^ are variables (the first is of order 0, the second 
is of order 1, and the third is of order 2). Also suppose P^o)) anc [ gO are cons tant 
symbols (the first is of order 2 and the second is of order 0). 

1. Both A^°^(A^) and A^(:r 0 ) are atomic formulas. All variables present 
have free occurrences. 

2. (AA^°».A^ 0 »(A(°))) is a predicate abstract, of type (((0))). Only the oc- 
currence of A^ is free. 

3. Since P^ 0 )) j s 0 f type ((0)), (AA^ 0 )) .A^°>> (Af^ ))('P^°>> ) is a formula. Only 
Af(°) is free. 

4. [(AA^^.A^^A^))^^ 0 ^) D A^(:r 0 )] is a formula. The only free vari- 
able occurrences are those of A^ and x°. 

5. ^^([(AA^W^.A^W^AW))^^ 0 ^) D A<°*(a: 0 )] is a formula. The only 
free variable occurrence is that of x°. 

6. (A^^VA^^AA^^.A^^A^))^^ 0 ^) D A^(x 0 )]) is a predicate ab- 
stract. It has no free variable occurrences, and is of type (0). 

We need the type machinery to guarantee that what we write is well-formed. 
Now that we have gone through the exercise above, we can display the predicate 
abstract without superscripts, as 

<Az.(VA)[(AA.A(A))(P) D X(x)J), 



leaving types to be inferred, or explained in words, as necessary. 




28 



Melvin Fitting 



3 Models 

Just as in the classical setting there are standard higher-order modal models and 
non-standard ones. Because of space limitations I’ll only sketch the standard 
version, and say a few words later on about the non-standard one. 

A higher-order modal model is a structure M = (Q,TZ,T>,X), and we spend 
much of the rest of the section saying what each component is. 

The pair (G,IZ) is a frame. In it, Q is a non-empty set of possible worlds, 
and IZ is an accessibility relation on Q. This much is familiar from proposi- 
tional modal logic treatments, and we do not elaborate on it. As usual, different 
restrictions on 1Z give rise to different modal logics. 

Domains of (ground level) objects are introduced into a modal model, just as 
in a classical one. There are two different ways of doing this. Each possible world 
in Q can have its own domain, in which case we take 2? to be a domain function, 
mapping worlds to non-empty sets. Or, all possible worlds can have the same 
domain, in which case we take T> to be just a set, the common domain for all 
worlds. In [5] and [3] reasons are presented as to why either version can be taken 
as basic in the first-order case — essentially each can simulate the other. In the 
interests of simplicity we adopt the constant domain version in the higher-order 
setting. Philosophically, this amounts to a possibilist approach to quantification, 
rather than an actualist one. 

Formally, we take I? to be a single non-empty set, called the domain of the 
model M. 

Definition 7 (Relation Types). Let S be a non-empty set. For each type t 
we define the collection [t, S'] of relations of type t over S. 

Mo,s] = s. 

2. [(fi, . . . , t n ), S] is the collection of all subsets of [ti, S] x • • • x [f„, S] . 

We say O is an object of type t over S if O £ [t, S]. 

At last we can characterize 1, the interpretation of the model. Note that it 
is world-dependent. 

Definition 8 (Interpretation). X is a mapping from constant symbols and 
worlds meeting the following conditions. For each world r £ Q: 

1. If A* is a constant symbol of type t, X(A t ,r) £ [t, D]. 

2. If =(*’*> is an equality constant symbol, X{= < ' t,t \r) is the equality relation 
on \t,V\. 

This completes the specification for each component of JA = (Q,TZ,T>,X). If 
all the conditions given above are met, we say M. is a higher-order modal model. 




Higher-Order Modal Logic — A Sketch 



29 



4 Truth 

Assume At = (G,1Z,T>,T) is a higher-order modal model. We give meaning to 
A i,r lb„ T>, which is read: the formula T> is true at the world T of the model 
At, with respect to the valuation v which assigns meanings to free variables. To 
do this we have to assign denotations to terms in general — the denotation of a 
term of type t will be an object of type t over T>. And this can not be done 
independently. The assignment of denotations to terms, and the determination 
of formula truth at worlds constitutes a mutually recursive pair of definitions, 
as was the case for the syntactic notions of term and formula in Section 2. 

Definition 9 (Valuation). We say v is a valuation in model Ad = {G,IZ,T>, 
1) if v assigns to each variable a t of type t some member of [t, X>], that is, 

viof) <= ft,Vj. 

Note that, unlike interpretations, valuations are not world dependent. 

Definition 10 (Variant). We say a valuation w is an a- variant of a valuation 
v if v and w agree on all variables except possibly a. More generally, we say w is 
an on, . . . , a„-variant if v and w agree on all variables except possibly a\, . . . , 
Oi n • 



Definition 11 (Denotation of a Term). Let Ad = (G,1Z,T>,I) be a higher- 
order modal model, and let v be a valuation in it. We define a mapping (v * 1) , 
assigning to each term and each world a denotation for that term, at that world. 

1. If A is a constant symbol then (v*X)(A, T) =1(A, T). 

2. If a is a variable then ( v *I)(a,r) = v(a). 

3. If (Aai, . . . , a n .F) is a predicate abstract of type t, then 

( v * X)((Aai, . . . , a n .T>), T) is the following member of [t, 2?]: 

{(ic(ai), . . . , w(a n )) | w is an a\, . . . ,a n variant of v and Ad, T II— ^ <£} 



Definition 12 (Truth of a Formula). Again let Ad = (G,1Z,T>,I) be a higher- 
order modal model, and let v be a valuation in it. The notion A d,T lb„ T>, is 
characterized as follows. 

1. For an atomic formula, Ad, T lb„ r(ri, . . . , r„) provided 
{(v * i)(n, r), . . . , (v * i)(T n , r)) e (v*i)(T,r). 

2. Ad, T lb„ if it is not the case that Ad, T lb„ <P. 

3. M,r\\- V $ f\T if M,r\\- V $ and M,r\\- V T. 

4- Ad, r lh„ □<? if Ad, A lb„ <P for all A £ Q such that FFA. 

5. Ad, r lb„ (Va)# if Ad, T lb„/ # for every a-variant v' of v. 

Here are a few examples on which you can test your understanding of the 
definitions above. We are assuming our models are constant domain, so not 




30 



Melvin Fitting 



surprisingly, the Barcan formula is valid. But one must be careful. If # is a 
formula, the following is certainly valid. 

<>(3x)@ D (3x)0#. 

But, the following formula is not valid, even though it has a Barcan-like quan- 
tifier/modality permutation. 

0{3x)(\X.X(x)){P) D (3x)(XX.0X(x)){P). 

The shift of variable binding for X changes things; in the antecedent it is narrow 
scope, but in the consequent it is not. 

As another slightly surprising example, the following formula is valid. 

(AA.0(3x)A(x))(P) D (AX.(3x)X(x))(P) (9) 

In this example the symbol P is given broad scope in both the antecedent and 
the consequent of the implication. This essentially says its meaning in alterna- 
tive worlds will be the same as in the present world. Under these circumstances, 
existence of something falling under P in an alternate world is equivalent to 
existence of something falling under P in the present world. (Don’t forget, we 
are assuming constant domains.) This is just a formal variation on the old obser- 
vation that, in conventional first-order Kripke models, if relation symbols could 
not vary their interpretation from world to world, modal operators would have 
no effect. It is also something that can’t be said without the use of abstraction 
notation. 

5 Non-standard Models 

Just as in the classical case, there can be no proof procedure that is complete 
with respect to the semantics presented in the previous two sections. And just 
as in the classical case, one can introduce a modal version of Henkin models. 
Essentially, at each type level of a model we take some of the relations available 
in principle, but not necessarily all of them. We do not have the space here to 
give details, but they are direct analogs of the classical version. 

The important thing to note, for our purposes, is that the most natural 
higher-order modal tableau rules do not give completeness with respect to modal 
Henkin models. Instead we need a broader notion of model yet — non-extensional 
Henkin models. These can be characterized, and are natural things to study, 
though knowledge of them is not widespread even though Henkin himself men- 
tioned them. After all, it seems reasonable to have a notion of model in which 
the properties of being the morning star and being the evening star are different 
even though they have the same extension. 

Space does not permit a formulation of modal higher-order non-extensional 
Henkin models here. But when formulated, tableau rules given below turn out 
to be complete with respect to them. Then extensionality can be imposed by 
adopting extensionality axioms, in the usual way. The completeness proof has 
considerable complexity, but ultimately is based on constructions of [6,8]. 




Higher-Order Modal Logic — A Sketch 



31 



6 Tableaus 

We present a version of prefixed tableaus, which incorporate a kind of naming 
mechanism for possible worlds in such a way that syntactic features of prefixes — 
world names — reflect semantic features of models, or of candidates for them. 
Prefixed tableau systems exist for most standard modal logics. Here we only 
give a version for S5, without equality and without extensionality. We refer you 
to the literature for modifications appropriate for other modal logics — the same 
modifications that work at the propositional level work in our setting too. 

Definition 13 (Prefix). An S5 prefix is a single positive integer. 

Prefixes have two uses in tableau proofs. The first gives them their name. 

Definition 14 (Prefixed Formula). A prefixed formula is an expression of 
the form g<F, where <j is a prefix and is a formula. 

Think of a prefix as a name for a possible world of some model. And think 
of fj (p as saying that formula is true at the world that a names. 

All tableau proofs are proofs of sentences — closed formulas. A tableau proof 
of is a tree that has 1 at its root, is constructed according to certain 
branch extension rules to be given below, and is closed, which essentially means 
it embodies an obvious syntactic contradiction. This intuitively says cannot 
happen at an arbitrary world, and so is valid. 

The branch extension rules for the propositional connectives are all straight- 
forward. We give them here, including rules for various defined connectives, for 
convenience. In these, and throughout, we use a, g' , ay, and the like as standing 
for prefixes. 

Definition 15 (Conjunctive Rules). For any prefix a, 

<jX/\ Y ct n(IVh) g^(XdY) g X = Y 
g X g^X a X g X D Y 

(jY g ->Y a ->Y gY D X 

For the conjunctive rules, if the prefixed formula above the line appears on 
a branch of a tableau, the items below the line may be added to the end of the 
branch. The rule for double negation is of the same nature, except that only a 
single added item is involved. 

Definition 16 (Double Negation Rule). For any prefix g, 



G ~^~<X 

G X 

Next we have the disjunctive rules. For these, if the prefixed formula above 
the line appears on a tableau branch, the end node can have two children added, 
labeled with the two items shown below the line in the rule. In this case we say 
there is tableau branching. 




32 



Melvin Fitting 



Definition 17 (Disjunctive Rules). For any prefix a, 

ctXVY ct^{X/\ Y) 

aX\ aY a -X\a -Y 

crXDY <t^(X = Y) 

a -nA'|cr 7 a X[X D Y) |cr^(F D X) 

Next we give the modal rules. It is here that the structure of prefixes plays 
a role. For S5, each world is accessible from each world. 

Definition 18 (Possibility Rules). If the positive integer n is new to the 
branch, 

a <)X a -OX 
n X n -<X 

This implicitly treats 0 as a kind of existential quantifier. Correspondingly, 
the following rules treat □ as a version of the universal quantifier. 

Definition 19 (Necessity Rules). For any positive integer n, 

a ax a^QX 

n X n ~>X 

Many examples of the application of these propositional rules can be found 
in [3]. We do not give any here. 

Next, for quantifiers. For the existential quantifier we do the usual thing: 
if an existentially quantified formula is true (at some world), we introduce a 
new name into the language and say in effect, let that be the thing of which 
the formula is true. For this it is convenient to enhance the collection of free 
variables available. We add a second kind, called parameters. 

Definition 20 (Parameters). We have assumed that for each type t we had 
an infinite collection of free variables of that type. We now assume we also have 
a second, disjoint, list of free variables of type t, called parameters. They may 
appear in formulas in the same way as the original list of free variables but we 
never quantify them. Also we never A bind them. We use letters like p, q, P , 
Q, .. .to represent parameters. 

Technically, parameters are free variables. When interpreting a formula with 
parameters in a model, a valuation must provide values for parameters as well 
as for the standard free variables. But since parameters are never quantified or 
used in A bindings, any occurrence of a parameter must be a free occurrence. 
(Consequently they cannot appear in sentences.) We will never need to substi- 
tute a term for a parameter, though we will need to substitute terms for free 
occurrences of variables that are not parameters. For this, and other reasons, we 
adopt the following convention. 




Higher-Order Modal Logic — A Sketch 



33 



Definition 21 (Variable Convention). Occurrences of parameters in a for- 
mula are not counted as free occurrences. Further, if we refer to a variable, it 
is assumed it is not a parameter. If we need to speak about a parameter, we will 
explicitly say so. 

To state the existential tableau rules, we use the following convention. Sup- 
pose ( I(a t ) is a formula in which the variable a t , of type t, may have free oc- 
currences. And suppose p* is a parameter of type t. Then , F(p t ) is the result of 
replacing all free occurrences of a 4 with occurrences of p* . Since our convention 
is that parameters are never bound, we don’t have to worry about accidental 
variable capture. Now, here are the existential quantifier rules. 

Definition 22 (Existential Rules). In the following, p l is a parameter of type 
t that is new to the tableau branch. 

a (3a t )I } (a t ) cr -i(Vcd)<£(a 4 ) 

aT(p t ) <T->$(p t ) 

The rules above embody the familiar notion of existential instantiation. As 
noted, the use of parameters instead of conventional variables avoids complica- 
tions due to conflicts between free and bound occurrences. 

We said prefixes had two roles. We have seen one: formulas are prefixed. The 
other use of prefixes is to qualify terms. Loosely, think of a term r with a as 
prefix as representing the value taken on by the term r at the world designated 
by a. However, writing prefixes in front of terms makes formulas even more 
unreadable than they already are. Instead, in an abuse of language, we have 
chosen to write them as subscripts, t ct though, of course, the intention is the 
same, and we still refer to them as prefixes. 

Formally, we broaden the notion of term (and consequently of formula) to 
allow for prefixes/subscripts. Constant symbols may have prefixes — they are 
non-rigid and can have different values at different worlds, so a prefix plays a 
significant role, fixing the world at which its value is determined. Similarly for 
predicate abstracts. But variables and parameters are thought of as ranging over 
objects directly, and are not world-dependent. Consequently they are not given 
prefixes. 

Definition 23 (Extended Term). An extended term is like a term except 
that some subterms have prefixes attached (as subscripts). Prefixes may appear 
as subscripts on constant symbols and predicate abstracts; they may not appear 
on variables or parameters. It is allowed that no prefixes occur, in which case 
we have a term in the conventional sense. The type of an extended term is the 
same as the type of the underlying term, that is, of the expression resulting from 
dropping all prefixes. 

Extended terms are allowed to occur in the formulas appearing in tableaus. 
Next we need an analog of the notion of closed term, as used in classical first- 
order tableaus. 




34 



Melvin Fitting 



Definition 24 (Grounded). A parameter is a grounded term. A prefixed con- 
stant symbol is a grounded term. A prefixed predicate abstract containing no free 
variables (parameters are allowed) is a grounded term. Also, if . . . ,r„) is 
an atomic formula and tq, T\, . . . , r n are grounded terms, we refer to the formula 
as grounded. 



Example 2. (Ax.(VX)[(A X .X(X))(V) D A(x)]) is a predicate abstract, hence a 
term. Then, {Ax.fi X)[{AX .X(X)) 2 (Vi) D A(x)]) is an extended term. It is not 
grounded, but {Ax.fi X)[{AX .X(X)) 2 (Vi) D A(x)]) 3 is. 

The presence of a prefix a on a subterm is intended to indicate that we are 
thinking about the object the subterm denotes at the world that a denotes. Since 
not all subterms may have been intuitively evaluated at a particular stage of a 
proof, there might be subterms that have not been prefixed. 

Definition 25 (Universal Rules). In the following, r 4 is any grounded term 
of type t. 

g(Va 4 )0(a 4 ) g^(3a 4 )0(q 4 ) 

<J'I>(T t ) <7 -^( t 1 ) 

Now we give the rules for predicate abstracts and atomic formulas. And to 
do this, we first define an auxiliary notion. The intuition is that r@cr plays the 
role of the object the extended term r designates at world cr. Note that r@a 
must be grounded. 

Definition 26 (Evaluation at a Prefix). Let a be a prefix. If t is an extended 
term without free variables, t@<j is defined as follows. 

1. If t is a parameter, r@a = r. 

2. If t is an unsubscripted constant symbol or predicate abstract, t@ct = r CT . 

3. If t is a subscripted constant symbol or predicate abstract, t@<t = r. 

Also, if ro(ri, . . . , r n ) is atomic, where each Ti is an extended term without free 
variables, we set 



[t 0 (ti, . . . , T„)]@CT = [to@Ct(ti@< 7, . . . , T n @cr )] 

The next rule says that determining the truth of an atomic formula at a 
world requires we evaluate its constituents at that world. 

Definition 27 (Atomic Evaluation Rules). Let X be an atomic formula. 

aX a —iX 

aX@a a-iX@a 

If a term is grounded, its meaning is fixed across worlds. If I say “the President 
of the United States,” it means different people at different times, but if I say 
“the President of the United States in 1812,” it designates the same person at 
all times. This motivates the following rule. 




Higher-Order Modal Logic — A Sketch 



35 



Definition 28 (World Shift Rules). Let X be a grounded atomic formula. 

aX a^X 

7T a' n.Y 

Finally, a rule intended to capture the meaning of predicate abstracts. Note 
the respective roles of a and a'. Also, we extend earlier notation so that, if 
L’(ai, . . . , a n ) is a formula, an, . . . , a n are free variables, and n, . . . , T n are 
extended terms of the same respective types as ai, . . . , a n , then #(n, . . . , r n ) 
is the result of simultaneously substituting each r,; for all free occurrences of a* 
in <L. 

Definition 29 (Predicate Abstract Rules). In the following, ti, . . . , r n are 

all grounded terms 

a 1 (Aai, . ■ .,a„.0(ai, . . . , a n )) <T (ri, . . . , r») 

o-$(ti, ..., T n ) 

g'^(Aai, . . .,a„.^(ai, . . . , a„)) <T (ri, ■ ■ ■ , r„) 

a -><?>(ti , ..., T n ) 

Finally what, exactly, constitutes a proof. 

Definition 30 (Closure). A tableau branch is closed if it contains aP and 
<j -<ty, for some formula F. 

Definition 31 (Tableau Proof). For a sentence F, a closed tableau beginning 
with 1 is a proof of <1. 

This concludes the presentation of the basic tableau rules. We have not given 
rules for equality or extensionality. In fact, extensionality is not provable without 
further rules. In the next section we give a few examples of tableau proofs using 
the rules above. 

7 Tableau Examples 

Tableaus for classical logic are well-known, and even for propositional modal 
logics they are rather familiar. The abstraction rules of the previous section are 
new, and we give two examples illustrating their uses, one easy, one harder. 

Example 3. Here is a proof of (9), (AA.0(3a;)A(:r))(P) D (AA.(3a;)A(a;))(P), 
which we earlier noted was valid. 

1 - [(AX.0(3i)X(s))(P) D <AX.(3i)X(*))(P)] 1. 

1 (AX.0(3x)X(x))(P) 2. 

1 ~>(AX.(3x)X(x))(P) 3. 

1 (AX.0(3x)X(x)) 1 (P 1 ) 4. 
l-.(AA-.(3*)A’(*)) 1 (Pi) 5. 

1 0(3x)Pi(x) 6. 

1 ->(3a;)Pi(a;) 7. 

2 (3x)Pi(a;) 8. 

2 Pi(p) 9. 

1-Pi(p) io. 

1 Pi(p) 11. 




36 



Melvin Fitting 



In this, 2 and 3 are from 1 by a conjunctive rule; 4 is from 2 and 5 is from 3 by 
atomic evaluation; 6 and 7 are from 4 and 5 respectively by predicate abstract 
rules; 8 is from 6 by a possibility rule; 9 is from 8 by an existential rule (p is a 
new parameter); 10 is from 7 by a universal rule; and 11 is from 9 by a world 
shift rule. 



Example 4- Our next example is from Godel’s ontological argument for the exis- 
tence of God [4] . We don’t need all the details — think of it simply as a technical 
issue. Essentially, Godel modified an earlier argument due to Leibniz. Part of 
what Godel did was replace a somewhat intuitive notion of perfection with the 
notion of a positive property. This notion was not analyzed, but certain features 
were assumed for it — axioms, in effect. 

Positive Property. We have a constant symbol V of type ((0)) (think of it as 
“positiveness”). We assume 



(WX)[-nV{X) D V(^X)\ 

where, for X of type (0), ~>X abbreviates (Ax.-W(x)). 

Next, Godel takes being God to mean having all positive properties. 

Being God. We use G to abbreviate the type (0) term 

(Ax.(VX)[-ppf) d AT(x)]). 

Finally as far as our example is concerned, Godel characterizes a notion of 
essence. Roughly speaking, a property X is the essence of an object x if every 
property of £ is a necessary consequence of X. 

Essence. We use £ to abbreviate the type ((0),0) term 

(Ax,x.(vy)[y(x) d n(y y )[x( v ) d y(»)]]> 

Now we show one step of Godel’s argument: (Vx)[G(x) D £(G,x)\. That is, 
being God is the essence of anything that is, in fact, God. We give a tableau 
derivation of it from the assumption about positive properties. 

1 -i(Vx)[G(x) D £(G, x)] 1. 

1 n[G(j)D£(G,j)] 2. 

1 G(g) 3. 

1 ->£(G, g) 4. 

1 G^g) 5. 

MAx,x.(vy)[y(x) d n(\/ y )[x( y ) d y(y)]])(G, 5 ) 6. 
MAAf,x.(Vy)[y(x) D n(\/y)[X(y) D Y(y)]])i(G\, g) 7. 

1 -.(vy) [Y(g) D D(Vy) [G, (y) D Y (y)]] 8. 
1-[Q( 5 )DD(V2/)[G 1 (2/)DQ(2/)]] 9. 

l Q(g) 10. 

1 s= in(Vt/)[G 1 (y) d Q(y)] 11. 

1 (VX)l^V(X) D V{pX)\ 12. 

1 -P(Q)DP(-Q) 13. 




Higher-Order Modal Logic — A Sketch 



37 



In this, 2 is from 1 by an existential rule ( g is a new parameter); 3 and 4 are 
from 2 by a conjunctive rule; 5 is from 3 by an atomic evaluation rule; 6 is 4 
unabbreviated; 7 is from 6 by an atomic evaluation rule; 8 is from 7 by a predicate 
abstract rule; 9 is from 8 by an existential rule ( Q is a new parameter); 10 and 
11 are from 9 by a conjunctive rule; 12 is our assumption about positiveness; 13 
is from 12 by a universal rule. 

At this point the tableau branches, using item 13. We first present the right 
branch, then the left. 

l VirQ) 14. 

1(A x.(WX)[P(X) D X(x)})(g) 15. 

l(Xx.('iX)[V(X)DX(x)}) 1 (g) 16. 

1 (\/X)[P(X) D X(g)] 17. 

1 'P(-'Q) 7) (~<Q)(g) 18. 



1 -P(-Q) 19.1 hQ)(g) 20. 

1 (A x.^Q{x))(g) 21. 

1 (Xx.^Q(x))i(g) 22. 

1 -Q(fl) 23. 

Item 14 is from 13 by a disjunctive rule; 15 is 3 unabbreviated; 16 is from 15 
by an atomic evaluation rule; 17 is from 16 by a predicate abstract rule; 18 is 
from 17 using a universal rule; 19 and 20 are from 18 by a disjunctive rule; 21 
is 20 unabbreviated; 22 is from 21 an atomic evaluation rule; 23 is from 22 by a 
predicate abstract rule. Closure is by 14 and 19, and 10 and 23. 

Now we display the left branch. 

1 -AP(Q) 24. 

1 V(Q) 25. 

2-(V 2 /)[G 1 (y) D Q(j/)] 26. 

2-[G 1 (<z)=>Q(< ? )] 27. 

2 Gx(q) 28. 

2 ->Q(q) 29. 

2 (Ax.(VI)[P(I) D IWDj)?) 30. 

1 (\/X)[V(X) D X(q)} 31. 

1 V(Q) D Q(q) 32. 



1 -nP(Q) 33. 1 Q(q) 34. 

Item 24 is from 13 by a disjunctive rule; 25 is from 24 by double negation; 26 
is from 11 by a possibility rule; 27 is from 26 by an existential rule ( q is a new 
parameter); 28 and 29 are from 27 by a conjunctive rule; 30 is 28 unabbreviated; 
31 is from 30 by a predicate abstract rule; 32 is from 31 by a universal rule; 33 
and 34 are from 32 by a disjunctive rule. Closure is by 25 and 33, and 29 and 
34. 








38 



Melvin Fitting 



8 Conclusion 

Higher-order modal logic is inherently complex. Just a sketch was possible here. 
There was no room to present Henkin-modal models, let alone non-extensional 
versions, though they are extremely natural to work with. Tableau completeness 
arguments are especially elaborate. A much longer treatment is in preparation. 
We hope this brief sketch is enough to raise interest in an issue that has rarely 
been looked at in modal logic ([1] is a rare but noteworthy instance). 

References 

1. A. Bressan. A General Interpreted Modal Calculus. Yale University Press, 1972. 

2. M. C. Fitting. Bertrand Russell, Herbrand’s theorem, and the assignment statement. 
In J. Calmet and J. Plaza, editors, Artificial Intelligence and Symbolic Computation, 
pages 14-28. Springer Lecture Notes in Artificial Intelligence, 1476, 1998. 

3. M. C. Fitting and R. Mendelsohn. First-Order Modal Logic. Kluwer, 1998. 

4. K. Godel. Ontological proof. In S. Feferman, J. W. Dawson, Jr., W. Goldfarb, 
C. Parsons, and R. M. Solovay, editors, Kurt Godel Collected Works, volume III, 
pages 403-404. Oxford, Oxford, 1995. 

5. G. E. Hughes and M. J. Cresswell. A New Introduction to Modal Logic. Routledge, 
London, 1996. 

6. D. Prawitz. Hauptsatz for higher order logic. Journal of Symbolic Logic, 33:452-457, 
1968. 

7. R. Stalnaker and R. Thomason. Abstraction in first-order modal logic. Theoria, 
34:203-207, 1968. 

8. M. Takahashi. A proof of cut-elimination theorem in simple type theory. J. Math. 
Soc. Japan, 19:399-410, 1967. 

9. R. Thomason and R. Stalnaker. Modality and reference. Nous, 2:359-372, 1968. 




Proving Associative-Commutative Termination 
Using RPO-Compatible Orderings* 



Deepak Kapur 1 and G. Sivakumar 2 

1 Department of Computer Science, University of New Mexico 

kapurOcs .unm. edu 

2 Computer Science Department, Indian Institute of Technology, Bombay, India 

sivaOcse . iitb . ernet . in 



Abstract. Developing path orderings for associative-commutative (AC) 
rewrite systems has been quite a challenge at least for a decade. Compat- 
ibility with the recursive path ordering (RPO) schemes is desirable, and 
this property helps in orienting the commonly encountered distributiv- 
ity axiom as desired. For applications in theorem proving and constraint 
solving, a total ordering on ground terms involving AC operators is often 
required. It is shown how the main solutions proposed so far ([7], [13]) 
with the desired properties can be viewed as arising from a common 
framework. A general scheme that works for non-ground (general) terms 
also is proposed. The proposed definition allows flexibility (using differ- 
ent abstractions ) in the way the candidates of a term with respect to 
an associative-commutative function symbol are compared, thus leading 
to at least two distinct orderings on terms (from the same precedence 
relation on function symbols). 

1 Introduction 

Rewrite systems provide a useful model of computation based on the simple 
inference rule of “replacing equals by equals.” Rewrite techniques have proved 
successful in many areas including equational programming, theorem proving, 
specification and verification, and proof by induction. 

Rewriting techniques particularly are effective in reducing the search space 
for finding proofs because of the ability to orient equations into one-directional 
rewrite rules. Rewrite rules are used for “simplifying” expressions by repeatedly 
replacing instances of left-hand sides by the corresponding right-hand sides. For 
example, the rules below express addition and multiplication over natural num- 
bers. 



* This paper is a revised version of an earlier draft entitled A recursive path ordering for 
proving associative- commutative termination [8] by the authors which was published 
as a technical report of the Department of Computer Science, State University of 
New York, Albany, NY 12222, May 1998. This research has been partially supported 
by the National Science Foundation Grant nos. CCR-9712366, CCR-9712396, and 
CDA-9503064. 



R. Caferra and G. Salzer (Eds.): Automated Deduction, LNAI 1761, pp. 39—61, 2000. 
(c) Springer- Verlag Berlin Heidelberg 2000 




40 



Deepak Kapur and G. Sivakumar 



0 + x - 


-> X 


s(x) + y - 


■* s(x + y) 


0* x - 


■* 0 


s(x) * y - 


■* y + {x * y) 



A sample derivation chain is s(0) * s(0) — > s(0) + (0 * s(0)) — > s(0) + 0 — > 
s(0 + 0) -» s(0). 

Termination of such derivations is crucial for using rewriting in proofs and 
computations, as well as for mechanizing proofs by induction. One approach to 
prove termination is to design well-founded orderings on terms which include the 
rewrite relation. Several syntactic path orderings based on extending a precedence 
relation >- on function symbols to terms have been developed [4] . 

The Recursive Path Orderings (RPO) [4] are the most commonly used or- 
derings in rewrite-based theorem provers . When >- is a total precedence 
relation on function symbols, RPO is total (up to equivalence) on ground terms 
(terms without variables). That is, given two distinct ground terms, either they 
are equivalent under the ordering, or one of them is bigger. Total orderings on 
ground terms have been found useful in theorem proving and constraint solving. 

Many interesting and useful theories use operators (such as +,*,V,A,®) which 
are associative and commutative. We refer to such operators as AC-operators and 
terms using these operators as AC-terms in the rest of the paper. Developing 
well-founded orderings on AC-terms which are useful for proving termination 
of AC-rewrite systems has been quite a challenge. A number of attempts have 
been reported in [1,15,3]; see also [11,2] for polynomial orderings as well as [5] 
for other approaches. 

Two properties can be used to distinguish between most of the related pre- 
vious work and to motivate the work done in this paper. The first property is 
RPO -compatibility. That is, whether an AC-ordering behaves exactly like RPO 
on non- AC terms as well as allows (like RPO) the orientation of the distributiv- 
ity axiom (x*(y+z) — > (x * y) + (x * z) as desired by making * >- +, even though 
both + and * are AC-operators. The second property is the ground totality. That 
is, whether the proposed ordering is total on ground terms when the precedence 
relation on function symbols is total. 

In 1990, Kapur, Sivakumar and Zhang proposed a general ordering scheme 
based on recursive path ordering with status (rpos) without any restrictions on 
the precedence relation between function symbols [9]. Their ordering scheme 
however has a weakness: it is not total on equivalence classes of AC ground 
terms even when the precedence relation on function symbols is total. A total 
ordering on AC-ground terms was first proposed by Narendran and Rusinowitch 
[12] based on polynomial interpretations (hence, it is not RPO-compatible) . That 
ordering does not orient distributivity appropriately. 

Rubio and Nieuwenhuis introduced a total ordering on ground terms for a 
total precedence relation on function symbols [14] which uses both interpreta- 
tions similar to [1] , and the idea of elevation used in [9] . They showed how their 
ordering can be lifted to non-ground terms. The main weakness of their ordering 





Proving Associative-Commutative Termination 



41 



is that it does not orient distributivity properly. In particular, even if * > +, 
x * (y + z) < (x * y) + (x * z), so that ordering is not RPO-compatible either. 

In [7] , we proposed a path ordering based on rpos that is total on AC ground 
terms, and orients the distributivity law properly by making a * (6 + c) > 
(a * b) + (a * c) if * > +. However, we could not give a natural extension of 
the definition to non-ground terms, and had to resort to approximations and 
constraint solving for extending the ordering to general terms. Using ideas sim- 
ilar to [7], Rubio proposed an ordering using a bottom-up construction [13]. He 
defined an interpretation associated with a term (with respect to an AC symbol) 
as a multiset of sequences. This ordering has all the desired properties on ground 
terms, but does not lift to non-ground terms. In [13], Rubio stated “the ordering 
we have defined on ground terms . . . cannot be used directly on terms with 
variables.” He instead gave two approximations to extend his interpretations to 
non-ground terms. While the first approximation is not as complex, it is unable 
to handle comparisons of simple terms such as f(i(i(x)),x) with f(i(x),i(x)) 
with f i. The second approximation is quite complex. 

In this paper, we show how the main ideas used in the earlier approaches 
can be cast in a uniform framework. The proposed scheme simplifies the def- 
initions in our earlier paper [7] even though the basic concepts of candidates 
and constructions for generating candidates in the two papers are related. More 
importantly, it is possible to extend the definition directly to non-ground (gen- 
eral) terms. This scheme also allows us to identify the main parameter — the 
abstraction used to compare contributions from function symbols ignored dur- 
ing elevation — that allows variants (two are given in this paper) of the basic 
ordering. 

The rest of this paper is organized as follows. In Section 2, we give the relevant 
definitions and background for proving termination using RPO. In Section 3, 
we explain the major issues in designing a RPO-compatible ordering for AC- 
terms using illustrative examples to bring out the key ideas that have been 
proposed. In Section 4, we define an ordering scheme for comparing AC-terms. It 
is parameterized by an abstraction function, giving at least two distinct orderings 
for the same precedence relation on function symbols. Sections 5 and 6 discuss 
proofs, focusing on irreflexivity, transitivity, subterm, replacement and stability 
properties. It is also shown that the ordering is total on nonequivalent ground 
terms. We conclude in Section 7 with discussion of related work and suggestions 
for future work. 



2 Rewrite Systems and Simplification Orderings 

Let T(F, X) be a set of terms constructed from a (finite) set F of function 
symbols and a (countable) set X of variables. We normally use the letters a 
through h for function symbols; s, t, and u through w for arbitrary terms; x, y, 
and ^ for variables. Each function symbol f £ F has an arity n > 0; constants 
are function symbols of arity zero. Variable-free terms are called ground . 




42 



Deepak Kapur and G. Sivakumar 



A term t in T(F, X ) may be viewed as a finite ordered tree. Internal nodes are 
labeled with function symbols (from F) of arity greater than 0. The out-degree 
of an internal node is the same as the arity of the label. Leaves are labeled with 
either variables (from X ) or constants. We use root(t) to denote the symbol 
labeled at the root of the tree corresponding to t. A subterm of t is called proper 
if it is distinct from t. By t | w , we denote the subterm of t rooted at position tt. 
Let u be a term and tt a position in u. We use u[-] w to denote the context for 
position tt in u. Loosely speaking, the context is the tree obtained by deleting 
the subterm at position tt leaving a “hole” in the term. We use u [t] ^ to denote 
a term that has t plugged in as a subterm at the “hole” in the context u[-] w . 

A substitution a is a mapping from variables to terms such that xa ^ x for 
a finite number of variables. The depth of a substitution a is the maximum of 
the depths of the terms used in this mapping. A substitution can be extended 
to be a mapping from terms to terms. We use ta to denote the term obtained 
by applying a substitution a to a term t. For example, the ground substitution 
a = {x k(a), y i— > d} when applied to the term t = f(x, y) gives the ground 

term ta = f(k(a),d). 

A rewrite rule over a set T(F, X) of terms is an ordered pair ( l , r) of terms 
such that the variables in r also appear in l , and is written l —* r. A rewrite 
system (or term rewriting system ) R is a set of such rules. Rules can be used 
to replace instances of l by corresponding instances of r. 

One approach to proving termination of rewrite systems is to use simplifica- 
tion orderings [4]. A simplification ordering has the following properties. 

1. Subterm Property: u[t] >- t for any term t and a non-empty context «[■]. 

2. Monotonicity: s yt implies that u[s] w ^u[t] n , for all contexts u[-j, terms 
s and t, and positions tt. 

We have omitted the deletion property which is needed only if there are function 
symbols with varying arity. Any simplification ordering >- on terms is well- 
founded, that is, there is no infinite descending chain of terms t\ >- t% >- <3 • • •. 
A simplification ordering that also has the following property 

— Stability: for all terms s and t, s yt implies that for all substitutions a , 
sa >~ ta. 

can be used for proving termination of rewrite systems. If for every rule l — > r 
in R, I y r in a simplification ordering y- which is stable under substitutions, 
then — > is terminating. 

2.1 Recursive Path Ordering 

Let >- be a well-founded precedence relation on a set of function symbols F. 
For simplicity and without loss of generality, we assume in the rest of the paper 
that >~ is total, i.e. , any two distinct function symbols /, g are comparable using 
>- (i.e. they are equivalent or one is bigger). Also without loss of generality, 

we assume that there is at least one constant symbol in F, and we denote the 




Proving Associative-Commutative Termination 



43 



smallest constant in F by a. The recursive path ordering extends >- on function 
symbols to a well-founded ordering on terms [4] . For convenience we do not use 
left-to-riglrt or riglrt-to-left status for any operator as in LRPO although all 
results in this paper easily extends to this also. 

Definition 1. Two terms t and s are equivalent (t ~ s ) if they are either the 
same variable, or both are non-variables i.e. t = f(t \ , . . . , t n ), s = g(s i, . . . , s rn ) 
and / = g, n = m, and there is a permutation p of (1, . . . , n) such that t 7 ; ~ s p ^y 

Definition 2 (RPO[4]). s = /(si, . . . , s n ) >- g(ti , . . . , t m ) = t iff one of the 
following holds. 

1. / >~ g, and s >~ tj for all j (1 < j < m). 

2. / = g, and {si, . . . ,s„} >- mul {h , . . . , t m }. 

3- f ¥ g, and for some i (1 < i < n ), either s* or Si >~ t. 

The ordering >- is a simplification ordering [4]. Also, when the precedence 
relation on F is total, two distinct ground terms are either equivalent or com- 
parable under 

2.2 AC-Rewriting and Rs Termination 

With operators that are associative and commutative, the definition of rewriting 
needs to be modified to include the consequences of these two properties which 
are not explicitly added as rules (since x * y = y * x cannot be oriented) . Let 
Fag denote the set of such operators. 

Consider a rule a * b — > c, where * £ Fac- The term t = (b * c) * a cannot 
be rewritten directly if we use the definition of — » given earlier, as no subterm 
of t is of the form a * b. But t is equivalent to the term s = (a*b) * c (using the 
AC properties of *) and s — ■> c * c. AC-rewriting (— is defined to cover such 
cases as follows. 

Definition 3 (AC-Rewriting). u[t\ ~^>ac w[ s/ ] if t AC ac s (re-ar- 

ranging arguments of AC-operators) and s — > s' using l —* r in R. 

With this definition of rewriting, we need to ensure that any simplification 
ordering also has the following property to ensure its usefulness in proving ter- 
mination of AC-rewriting. 

Definition 4 (AC-Compatibility). A simplification ordering >- is AC-com- 
patible if, for any terms t, t\, s, and si, if t t\, s Si, and t y s, then t\ S\. 

2.3 Flattening 

A key idea that figures in many approaches to AC-rewriting is to treat AC- 
operators not as strictly binary functions (arity = 2) but to let them be vary-adic 
and use flattening (of AC-operators) to convert terms like (a*b) *c to *(a , b , c). 
We use t to denote the flattened form of a term t. 




44 



Deepak Kapur and G. Sivakumar 



Definition 5. The flattened form t of a term t is defined below. 

{ x if t = x, a variable 

f(ti, ■ ■ ■ , U) lit = f(t i ,...,*„) and / £ Fa C 
/(Ti U • • • U T n ) if t = f(ti F ac _ and 

rj-t f , . . . , S m } if ti f (si , • • . , S m ) 

* \ {f*} otherwise 

The important question that arises is, whether the termination of —>ac can 
be proved using >- and treating AC-operators just like other function symbols 
(except that they have variable arity), and using flattened terms always. That 
is, we may attempt to define an ordering >- on AC-terms using s y 1 iff s yt. 



3 Issues in Extending RPO to AC-Terms 

It is well known that defining RPO on flattened terms does not give a sim- 
plification ordering on AC terms. We show through a series of examples, first 
with ground terms and then with terms containing variables, the difficulties en- 
countered in adapting RPO to terms with AC-operators. We then introduce the 
notion of candidates for a term, taking into consideration how different subterms 
with an outermost symbol smaller than an AC-operator are elevated; this con- 
cept of elevation was first used in [9] . We motivate possible abstractions that can 
be used when comparing candidates. This leads to several versions of AC-RPO 
including an ordering similar to [7] and an ordering in [13]. 

In all examples henceforth, we use gyfyjyiycybya with 
/ € F A c as the precedence relation. 

Using RPO, g(a) y f(a , a) y i(a). By monotonicity , the following chain must 
hold. The second inequality does not hold under RPO since {z(a), a} ^{a, a, a}. 



/\ 



g 



a 



> 



f 




a a 

flattening 



> 



f 




a 



a 



This shows that when comparing two terms having the same AC-operator as 
root symbol, the arguments cannot be compared simply as multisets (or se- 
quences) as in RPO. A more nuanced comparison of arguments is needed to 
prove /(a, a, a) !>- f(i(a),a). 

The number of arguments (referred to as f count later) below the AC-operator 
has a role to play to account for the effect of flattening. A similar example is 
/(a, a, a) >~ /(c, c). A useful idea that helps is to compare small terms (no symbol 
bigger than /) first by number of such terms and then only the actual terms 
themselves, is to abstract such terms by a (the smallest constant) first. 




Proving Associative-Commutative Termination 



45 



It may be useful to observe that when operators bigger than / are involved, 
the situation is somewhat different. That is, since g{a) f(c , . . . , c) (any number 

of c’s since g >-/), we have that f{g(a),a) > f(c, So, the number of 

arguments becomes a factor only when the big arguments (those with root symbol 
bigger than /) do not play any role in the strict comparison. 

To summarize, to maintain the monotonicity property, in comparing two 
ground terms, an argument of / with a symbol bigger than / can take care of 
many smaller arguments of / (which do not have any occurrence of a symbol 
bigger than /), but otherwise, the number of arguments to / becomes relevant. 

A second interesting observation is that since f(b, c) >~ c)) by RPO, we 

should make f(b, c, b, c) >~ c))). That is, the role of the smaller 

operator i in between nested f s, that can be elevated, is less important than 
that of the actual arguments 6, c below the AC-operator, even though i is bigger 
than b and c. 

The following example shows a third dimension-how the arguments of an 
AC-operator are partitioned. The first comparison is because we have simply 



f 



f 

/\ 

a a 



f f 



/\ 



f 




^ /\ 

b b c c 



r 




r 



c c a 



replaced i(f(a, a)) by its subterm /(a, a) and flattened. The second follows once 
we note that /(a, c))) >- i(f(a, c, c)) by RPO. 

In the examples above, the requirements of any simplification ordering such as 
the subterm and monotonicity properties, forced the outcome of the comparison. 
Whatever method of comparing AC-terms we provide must preserve the order 
in these examples. 

In the following example we have persevered the arguments below the AC- 




f =S t= f 



/\ /\ 
a c a b 



operator and kept the partition sizes the same. Then, different ways of defining 




46 



Deepak Kapur and G. Sivakumar 



comparison of AC-terms could orient these differently. Using [7], t y s, whereas 
using [13] as well as the orderings proposed in this paper, s y t. 

3.1 Candidates 

The main approaches for developing RP O-compatible orderings for AC-terms 
([9], [7], [13]) have tackled the problems identified above in slightly different ways. 
All of them change RPO only in the case when we compare s = f(S) with 
t = f(T) with / € Fac- They give different ways to compare S and T. 

A unifying framework can be developed using the common threads. Some 
useful definitions are given first. 

Definition 6 (Big Terms). A term t is called big with respect to an AC- 
operator /, if t = g(ti, with g y f. 

Definition 7 (Small Terms). A term t is called small with respect to an AC- 
operator /, if t is a ground term with all function symbols and constants in t 
smaller than /. 

If a non-variable term is neither Big nor Small, then it is said to be elevatable. 

Definition 8 (Elevatable Position). A position A in t = i{t\, . . . ,t n ) with 
/ >- i is said to be elevatable with respect to / € Fac, if for all proper prefixes 
A' of A, we have / >~ top(t\y) and top(t\\) > /, or t\\= x a variable. 

Definition 9 (Elevatable Subterm). A subterm t' at position A in the term 
t = i(ti , . . . , t n ) is said to be elevatable with respect to / if A is an elevatable 
position in t with respect to /. 

For example, in the term j(g(x), i(f(x , a))), we have two elevatable subterms 
g(x) and f(x,a) with respect to /. In the term t = j(x, j(g(a),i(y))), we can 
elevate x, g(a) or y\ in /(a, c),g(a))), f(b, c) as well as g(a) can be elevated. 

Definition 10 (Elevation). We can derive s from t by elevation (denoted t => 
s) if t = /(... , i(ti, . . . , t n ), . . .) with f yi, and s = /(..,, t', . . .) for some term 
t' elevatable from i(ti, . . . , t n ) with respect to /. We say that t elevates to s. 

For example, f(a,j(f(b,c),g(a))) elevates to either f(a,g(a)) or f(a,b,c) de- 
pending on which subterm is used in the elevation. 

We say that a term t = f(T) is in elevation normal form ( enf) iff T = BUUUS' 
where B is a multiset of big term, V is a multiset of variables and S' is a multiset 
of small terms. If we further require that each small term s € S is only a the 
smallest constant, then we call such a term as being in argument normal form. 
We can convert a term s = f(S) to argument normal form s' = anf(s), by first 
doing all possible elevations and then replacing all maximal small terms by a. 

Comparing terms in argument normal form by simply comparing the argu- 
ments as multisets is safe to do. This has been used as a subcase in many previous 
approaches to designing AC-RPO. 

With this comparison of terms, a sufficient condition for s = /(.S') >- f(T) = t 
can be stated. 




Proving Associative-Commutative Termination 



47 



Definition 11 (ACRPO-1). s = f(S) >- f(T) = t if for every t' £ anf(t), 
there is a s' £ anf(s) such that s' >- t! . 

Note that this definition is sufficient to handle some of the problem cases 
described earlier. For example, we can show /(a, a, a) >~ a). 

ACRPO-1, though sound, is not enough to ensure that we have a simplifica- 
tion ordering since it cannot show, for example, that 

, a)),i(f{a, a)),i(f(a, a))) >- , a, a)),i(f(a, a, a))). 

ft is essential to give some way to compare terms whose biggest anf- forms are 
identical as in the case above, ft becomes necessary, therefore, to build up another 
view (called Context in [7]) while deriving the enf- form (called Arguments in 
[7]). The role of context is to bring back the actual values of the Small terms 
(replaced by a), the smaller operators (such as i ) lost during the elevation, and 
the role they play in partitioning the arguments. 

Consider the example shown in the figure. 



f <g(a),a,g(a)> 




/ \ 

1.1. l.lg b 

I 

a 



The view as Arguments is {g(a),a, g(a)} (the cm /-form) with the elevations 
happening at position 1 and later at the subterm j(g(a), b) at position 1.1.1. We 
can define the context of this view as the multiset of pairs {({g(a)},j(g(a),b)), } 
{({g(a),a},i(f(j(g(a),b),c))), ({a},c)} which is the collection of the subterms 
in which elevations occurred and by the contribution of this elevated subterm to 
the view as Arguments, and also the Small Terms in the elevation normal form 
that were replaced by a. 

This leads to the idea of candidates. A candidate for a term s = f(S) (with 
/ G Fac) is obtained by taking from each s, £ S, its contribution to two different 
“views” of S- Arguments and Contexts. When comparing two terms /(Si) 
and f (5*2 ) , the views as Arguments are compared first, and only if they are 




48 



Deepak Kapur and G. Sivakumar 



equivalent, the contexts are compared. The interesting issue is how contexts 
should be compared. 1 

3.2 Context Comparison 

We go back to the example shown earlier for partitioning to illustrate some im- 

£ <a,a,a,a,a,a> 

M j j M j M 

! | = s > 

f t f 

a a b b c c 




portant issues in context comparison. The view as Arguments is the same for 
both terms: ({a, a, a, a, a, a}). So, we have to consider the role of the contexts 
C s and Ct where dropping common pairs, 

C s — C t — {({a, a}, i(f(a, a)))({a, a}, i(f(b, b)))({a, a}, i(f(c, c)))} and 

Ct — C s = {({a,a,a},i(f(a,b,b))){{a,a,a},i(f(a,c,c)))} and we must have 

C s >C t . 

Since the Arguments are overall the same on both sides, if an elevated sub- 
term has contributed less, that means that it appears in a bigger context (more 
contribution from the other arguments), and it should be given more weight. 
This suggests that the contribution of the elevated subterms to the Arguments 
play an inverse role in the comparison. 

Pairs in contexts are thus compared by first using union of contributions from 
other subterms to this view (Arguments) first, and then going to the elevated 
subterms themselves. 

That is, if f(S) has a candidate (A S ,C S ) and f(T) has a candidate ( A t ,C t ) 
and we need to compare C s with Ct (since A s = A t ), then for every pair (A, tt) £ 
Ct — C s , we look for a pair (B, ss) £ C s — Ct such that either A s — B , the context 
of ss, takes care of A t — A, the context of tt, or the two contexts are equivalent 
and ss >~ tt. 

In the example above, we compare 

C' s = {({a, a, a, a}, a)))({a, a, a, a}, i(f(b, b)))({a, a, a, a}, i(f(c, c)))} and C' t 

= {({a, a, a}, i(f(a, b, 6)))({a, a, a}, i(f(a, c, c)))} and as desired we get C s >~ Ct- 
For comparing the contexts themselves (A s — B with At — A), variations are 
possible. One is to compare them just as multiset of terms (the term abstraction ) 

1 Definitions of [7] have been simplified here. The context in a candidate as defined 
in [7] is a multiset of pairs of terms corresponding to the order in which elevatable 
subterms are elevated; the first component in the pair is the rest of the term obtained 
after deleting the elevated argument, and the second component is the elevated 
argument itself. 




Proving Associative-Commutative Termination 



49 



using the same ordering. This leads to a definition similar, but not exactly the 
same, as the one in [7]. Another approach is to simply compare their lengths 
(number of terms in A s — B with the number in A t — A) since this is a measure 
of how the views of Arguments are partitioned. 

An example that distinguishes the two orderings is given: s = f(i(g(b)),g(c)), 
t = f{i{g{c)),g(b)). The Arguments for both s and t are the same: {g(b), g{c)}. In 
s, g(b) is elevatable, whereas in t, g(c) is elevatable. The context of the candidate 
of s is {({ 5 ( 6 )}, i(g{b))}}; the context of the candidate of t is {({p(c)}, i(g(c)))}; 
If we use the f count abstraction, then t y s. Using the term abstraction, we get 
s yt. 

4 Definition of AC-RPO ( y ac ) 

As indicated in the previous section, a candidate for a term t is a pair (A, C) 
where A is the view as arguments, and C is the context for this view. The 
multiset of candidates of any term t with respect to an AC-operator / is defined 
formally below as cands(t, /). 

Definition 12 (Candidates). 

Y cands(x , /) =>• {({a: T7WT I 

2. cands(t = g(t 1 ,...,t n ),f)=>{({t},<j))} if g A f. 

3. cands(t,f) => {<{«.}, {({a}, *)}>} 

if t is a Small term wrt /. 

4. cands(f(t \, . . . , t n ), f) => {(+J, c u G cands(U, /)} 

5. cands(t = i(t 1 ,...,t n ),f) => (J{(A', C' U {{A 1 , t)})\(A', C') G cands(t',f)} 

if f yi and t! is elevatable from t. 

The first three rules are the base cases. A term t which is a variable, or whose 
top symbol is bigger than / (i.e. a Big term), contributes itself to Arguments and 
nothing to the Context. A Small term contributes a to arguments (the smallest 
constant) and ({a}, t) to context. 

Rule 4 defines the candidates of /(fi, . . -,t n ) to be union of candidates ob- 
tained by the component- wise union of one candidate from each of the arguments 
Note that if tj has rij candidates, then the number of candidates of 
f(t\, . . . , t n ) is the product of the nj-s. 

Finally, Rule 5 defines the interesting case when i < f is the top symbol of 
t = i(ti, . . . ,tn) and t has some elevatable subterm t'. A candidate Ct = (At, Ct ) 
for t is obtained from each candidate Ct < = (JVC) of t! by not changing the view 
in Arguments (i.e. A t = A '), and adding to the view as Context the pair (A',t) 
(i.e. C t = C U (A 1 ,t)). In this case, if each elevatable t! has rij candidates, the 
number of candidates is the sum of the nj-s. 

A few illustrative examples of candidates is given below. In all these examples 
g >- f y j y i y c yb y a is the precedence relation, as before. 

Example 1. si = f(i(i(i(a))),b) has only one candidate: 

({a, a}, {({a}, b), ({a}, z(*(z(a))))}). Notice that both small terms have contri- 
buted only a to the Argument view. 





50 



Deepak Kapur and G. Sivakumar 



Example 2. S2 = f(i(g(b)),c) has only one candidate: 
({g(b),a},{({g(b)},i( 9 m({a},c)}) 

Example 3. s 3 = /(z(/(6, c)), c, c) also has only one candidate: 

({a, a, a, a}, {({a}, b), ({a}, c), ({a}, c), ({a}, c), ({a, a}, i(f(b, c)))}). Notice that 
i(f(b , c)) contributes {a, a} to Arguments. 

Example C S4 = f(j(g(x),g(c)) 1 g(z)) has two candidates: 

((5(a:),fl(«)},{({fl(a:)},i(fl(*),fl(c))}}} and {{g(c),g(z)},{{{g(c)},j(g(x),g(c)))}) de- 
pending on which argument of j(g(x), g(c)) is elevated. 

Example 5. S5 = /(z(c), j(f(b, b), y)) also has two candidates: 

({a, a, a}, {({a}, i[c)), ({a}, 6), ({a}, b), ({a, a}, j(f(b, b),y ))}) if f(b, b) is elevated 
from j(f(b, b),y). Or, 

{(W> *(c)>, ({y}, j(f(b,b), y)}}) if y is elevated from j(f(b,b),y) which 
then gets {y} as its contribution to the Arguments. 

Example 6 . sq = f(i(f(x , z(/(6, y)))), c) has only one candidate: 

({x, a, y, a}, {({a}, 6), ({y, a}, i(f(b, y))}, ({x, y, a}, i(f(x, i(f(b, y))))){{a}, c)}) 
Note that the repeated elevation from i{f(b, (/)))) adds one pair to the 

context each time with its contribution to the Arguments. 

4.1 Properties of Candidates 

Definition 13 (f-blocked). A term t is said to be /-blocked if it is a variable, 
a Big term, or the smallest constant a. 

Property 14. Let ( A t ,C t ) € cands(t, f). Then, 

1. Every term in A t is an /-blocked term. That is A t contains only big terms, 
variables, or a (smallest constant). 

2. At = {f} or At is a multiset of proper subterms of t. So, if >~ is any ordering 
with the subterm property, then {f} > A t . 

3. In every pair ( A , ft) G C t , 

(a) A contains only /-blocked terms. 

(b) tt is never a variable. It is either Small (ground) term or has an elevatable 
subterm with respect to /. 

(c) A C A t . If top(t) = /, then A C A t (strict subset) and tt is a proper 
subterm of t. 

Property 15 (Equivalent Candidates). If and / G Fac , then for every 
candidate (A t , Ct) G cands(t,f), there is a candidate {A s , C s ) G cands(s,f) (1- 
1 correspondence) which is component-wise equivalent. That is, cands(s, /) = 
cands(t , /) (= is modulo ~). 

Proof. Since s~f, we can map the positions used in t to derive any ( A t , Ct) to 
an appropriate set of positions (arguments can be permuted) in s and use it to 
derive the corresponding (A s , C s ). 

Property 16 (Distinct Candidate Sets). If s /^t and / G Fac > then 

cands(s, f) ^ cands(t , /). 




Proving Associative-Commutative Termination 



51 



4.2 Comparing Terms 

Definition 17 (AC-RPO). A non- variable term s >- ac a; for any variable x in s. 
Otherwise, s = f(s i, . . . , s n ) >~acg(t l, • • • , t m ) = f, if one of the following holds. 

1. / >~ g, and s >- ac /, for all j (1 < j < m). 

2 - / = g & F ac , and {si, . . . ,s„} >- a ™ ul {h, ■ . . , t m }. 

3. / = g € Fac , and cands(s , /) ™ ul cands{t , /). 

(That is, for every candidate c* G cand(t , /) — cands(s, /), there is a candi- 
date c s G cands(s, f) — cands(t, f) such that c s q.) 

4 . f g and for some i (1 < * < n), either s* or s* >- ac t. 

Note that if a: is a variable, a; for any f. Also, a; F ac a, given that a is 
the smallest constant. 

The comparison of candidates used above is defined as follows. Let c s = 
(A S ,C S ) G cands(s, f) and c t = ( A t ,C t ) G cands(t , /). c s q if A s F ac mul A t 
and and one of the following holds. 

1. A s >- a ™ ul A t . Or, 

2- A s h ac mul A t , and C s >-Ct as defined below: 

( C s — C t ) ^ cj) and for every pair ( A , tt ) GC ( - C s , there is a pair ( B , ss) G 
such that 

(a) abs(A s - B,f) > abs{A t - A, /), or 

(b) abs{A s — B,f) > abs(A t — A, f) and ss >- ac tt 

The function abs(M, f) where M is a multiset of /-blocked terms is a suitable 
abstraction of the contribution of M to the Argument view. This abstraction 
can be defined in different ways yielding different orderings provided that the 
orderings on abstractions satisfy properties such as irreflexivity , transitivity, 
monotonicity, stability, and totality on ground cases. These properties will be 
mentioned as needed in the proofs. 



4.2.1 Abstractions for Contexts. Different abs's are motivated and illus- 
trated using the comparison of s = f{i{f{a, a)),i(f(b, b)),i(f(c, c))) with 
t = f(i(f(a,b,b)),i(f(a,c,c))). Recall from previous section that any RPO- 
compatible simplification ordering must make s y a ct- 

There is only one candidate for each side — c s = ( A s , C s ) and c t = ( A t , C t ) 
where A s = A t = {a, a, a, a, a, a}. But, 



C s -C t = {({a,a},i(f(a,a))), {{a,a},i(f(b, b))), ({a,a},i(f(c, c)))}, 



whereas 



C t -C s = {({a,a,a},i{f{a,b, b))), ({a,a,a},i{f{a,c,c)))}. 

For defining candidate comparison, we compare the contexts of the elevated 
subterms by comparing the measures of the multiset differences A s — B and 
A t — A above. 




52 



Deepak Kapur and G. Sivakumar 



4. 2. 1.1 fcount. One way to define a measure of the contribution of a subterm 
is by using fcount on /-blocked terms as defined below. 

Definition 18. 

{ x if t = x, a variable, 

1 if top(t) = g yf, 

1 if t is a Small term w.r.t. /. 

For a multiset A of /-blocked terms, 

fcount(A, f) = '^2 f count (ti, /). 
ueA 

For example, fcount({g(x ) , x , a, y, x}, f) = 2* x + y + 2; fcount((j), f) = 0. 

The measure for any non- variable /-simple term is 1. A variable’s measure 
depends on what is substituted for it. If a(x) has no elevatable /-subterm, then 
<t(x) contributes 1. Otherwise, it may contribute more due to elevation and 
flattening. So, the variables in the measure only take values > 0 (i.e. x, y > 1 
above) . Given two measures, which are linear polynomials p and q , we compare 
them by checking if p — q > 0 for all non-zero positive integers for the variables. 
For example, (3x + 4) > (2x + 3), and (x + 1) > 2, but (x + 1) 2. 

4. 2. 1.2 Term. Another abstraction can be defined by considering /-blocked 
terms themselves instead of abstracting out how many / arguments they con- 
tribute. So abs(M , /) is defined as /(M) which is compared using the same un- 
derlying ordering since terms serving as indices are smaller in size. This leads to 
a different ordering since fcount does not distinguish between the contributions 
of /-blocked terms such as g(a) and g(c) (both have fcount of 1). 

An example which distinguishes this abstraction from fcount is to com- 
pare s = f(i(f(g(a),g(b))),g(c)) with t = f(i(f(g(a),g(c))),g(b)). Using fcount, 
t >- acS , but using the term abstraction, s >- QC i. 

In contrast to the above abstraction functions, in [7] , the context in a candi- 
date is a multiset of pairs, but the first component in a pair is the term obtained 
after deleting the subterm being elevated. For the example below, t >~ s, since 



s = 



f <a,b,c> 




f 



a c 




c >~ b, whereas using fcount or term abstractions, s yt since i(f(a, c)) yi(f(a, b)). 




Proving Associative-Commutative Termination 



53 



4.3 Examples 

We will use the f count abstraction in all the examples below. We assume / £ 
Fac and g > f > i > c> b > a. 

Example 7. s = ^ a <i{f(b,b))=t because / and f(i(b),b) >- ac f(b,b) 

due to the Context component using ({a},*(6)) ^({a},5). 

Example 8. s = f(i(b),b, i(b),b) >- ac f{i{f{b , b)),i(f(b , b))) = t 

Both sides have only one candidate each with Arguments component A s = A t = 

{a, a, a, a}, but C s — Ct = {({a}, i(b)), ({a}, i(b)}} whereas 

C t -C s = {({a}, b), {{a,a},i(f(b,b))), ({a}, b), {{a,a},i(f(b,b))}} . 

The pair ({a},i(b)) y({a,a},i(f(b,b))) because abs(A s — {a}) = 3 > 2 = 
abs{A t — {a, a}). Hence C s > C t . 

Example 9. s = , c)), b ) >- ac f(i(f(a, b)), c) = t. Arguments are the same, 

but C s -C t = {({a, a}, c)))} and C t -C s = {({a, a}, i(f(a, b))}}. Since 

i(f(a, c)) >-aci(f (a, b)), we have C s yC t . 

Example 10. s = f(x,x,x) F ac f(ci,b) = t. Since {x, x, x} >- ac {a, a}. 

Example 11. s = f(a , i(x)) y ac f(a, b) = t. Using x > a, A s = {a, a;} > {a, a} = 
A t . We also have ({x} : i(x)) ^({a}, b) since abs{A a — {x}) = 1 = abs{A t — {a}) 
and i(x) >- ac ^- 

It is quite easy to verify that with * >~ +, x * (y + z) )~ ac {x * z) + (y * z). 
Further, s = x*y*(u + v) >- ac x * ((y * u) + (y * v)) with * >- +. 



5 Proofs 

We prove the properties of >~ ac in the following order: irreflexivity, subterm 
property, transitivity, replacement, totality on ground terms. In the next section, 
we prove that >- ac is stable under substitutions. Most proofs are done using 
induction on the size of the term, or the sum of sizes of terms being compared. 
Except for the replacement and stability properties, the proofs are similar to 
proofs for RPO [4]. 

Property 19 (Irreflexivity). For every term t, we have t /Fact- 

Proof. By induction on \t\. If t = f{t\, . . . ,t n ), then if / ^ Fac > by induction 
since {ti, . . . ,t n } {ti, . . . , t n }, we have the desired result. If / € Fac , we have 
similarly cands(t, /) / 'c™ ul cands{t, /). 

Property 20 (Subterm). If s F ac t, then s >- ac tj for any proper subterm tj 
of t and also h{. . . s . . .) >- ac t for any proper superterm of s. 

Proof. As in [4], we can prove these two simultaneously by induction on (|t|, |s|) 
and case analysis. 




54 



Deepak Kapur and G. Sivakumar 



Property 21 (Transitivity). Given s = f(si,...,s n ),t = g(ti, . . . ,t m ) and 
u = h{u i, . . . , Uk), if s y ac t and t y ac u, then s y ac u. 

Proof. By induction on |s| + |t| + u|. All cases except f = g = h € Fac are 
very similar to [4]. In this case also (i.e., f = g = h £ Fac), since all terms 
in any component of cands^s, /), cands(t, /), cands(u , /) are strictly smaller in 
size than s, t, u, respectively, and since the comparison of abstraction function 
( abs(M , /)) is also transitive, we have the desired result by induction. 

To show the replacement property, we first prove a useful lemma. 

Lemma 1 (Candidates Property), s y nc t and f £ Fac implies 
cands(sj) y c mul cands(t, /). 

Proof. By induction on (|t|, |s|). The base case when t is a constant or a variable 
is simple. Otherwise, let s = g(s i, . . . , s m ) and t = h(t \ , . . . , t n ). We now do case 
analysis on the relation between g and /. 

1. g y f: In this case s has only one candidate c s =({s},</>). In any candi- 
date c t = ( A t: C t ) € cands(t, /), we have by Property 14, {t} > A t . By 
transitivity, we have {s} yJ£ ul A t . Thus c s y c Ct for any c* which means 
cands(s, f) yj nul cands(t, f). 

2. g = f: Consider the cases for h. 

(a) h y /: Since s >- ac t and h y f = g, for some i, either Si y ac t in which 
case, by induction, cands(si , /) >- c mui cands(t, /), or s» in which case 
by Property 15, cands(si, f) = cands(t , /). 

Since top(s) = /, for every ( A Si ,C Si ) £ cands(s{, /), there is a ( A S ,C S ) 
£ cands{s , /) with A Si C A s and C Si C C s , by the definition of candidate 
construction. Hence, cands(s,f) y^^cands^,/). 

(b) h = /: In this case since f = h = g and s y ac t, by the definition of y ac , 
cands(s, /) ^ c m “*conds(t, /). 

(c) / >- h: If t = h(ti, . . . ,tn) is a Small Term, then the only candidate c t 
of t is ({a}, {({a}, t)}). Since top(s) = /, in any candidate c s = (A s , C s ) 
£ cands(s,f ) we must have |A S | > 2 and hence A s y„!? ul {a}. So, 

Cs F c Ct- 

Otherwise if t is not a Small Term, t must have at least one proper 
elevatable subterm t’ . Since s y ac t, s y ac t' for each subterm t' of t using 
the subterm and transitivity properties. By induction, cands(s, f) y™ ul 
candsit ' , /) for every elevatable subterm t' of t, that is, for every cp = 
(A\ C') £ cands(t\ /) there is a c s = ( A S ,C S ) with c s Ct'- 
Also, by the definition of cands(t , /), since / y top(t ), every candidate 
c t of t can be written as c t = ( A! ,C' U {(A',f)}) where ( A',C' ) £ 
cands{t' , f ), meaning there is one extra pair (A',t) in Ct than in Cp. 
We must show that c s can take care of this pair also. 

Consider the cases used to show c s y c c t j. If A s yj£ ul A’ then we also 
have that c s y c Ct- Otherwise, we must have A s F ac mul A' and C s y C' . 
We must show that there is at least one (B, ss) £ C s — C' that can take 
care of ( A',t ) also as follows. Since top(s) = /, by Property 14, B C A s . 
Hence abs((A s — B) ^ (j>) > abs{{A' — A!) = (j>). This implies C s yC t 
also. Hence c s c t also and cands(s , /) ^ C mui canc?s(t, /). 




Proving Associative-Commutative Termination 



55 



3. / >~ g: Consider the cases for h. 

(a) h >- / or h = /: Since top(t) >- top(s) and s >- ac t , by the definition 
of >- oc , either there is some S{ )~ ac t (then by induction, cands(si, f) 

y c mul cands(t, /)) or s» ~t (in which case cands(si , /) = cands(t , /)). 
Since / >~ top(s), for every candidate (A Si , C Si ) £ cands(si, /), we have 
(A Si , C Si U(A Si , s)) £ cands(s, /). So, in the either case above, cands(s, f) 
^ c mul cands(t, /). 

(b) / >- h: If t = h(ti, . . . ,t n ) is a Small Term, then the only candidate 

c t of t is ({a}, {({a}, t}}). If s is also small then its candidate c s = 
({a}, {({a}, s)}) is clearly bigger than c t . Otherwise, let s have an ele- 
vatable subterm s' and let c s = (A s , C s ) be the candidate obtained by el- 
evating s' from s. If s' is Big or top(s') = /, then A s and hence 

c s >- c c t - Finally, if s' = x, a variable, then A s = {cc} hac mul { a } = At 
and ({x},s} >~({a},£) since a&s({a;} — {x}) = a&s({a} — {a}) and s >- ac t- 
Otherwise if t is not a Small Term, t must have at least one proper 
elevatable subterm t'. Since s >- ac t, s >- ac t' for each subterm t' of t using 
the subterm and transitivity properties. For every elevatable subterm 
t' of t, by induction, cands(s , /) >- c mul cands(t ' , /), i.e. , for every = 
(A' , C') £ cands(t', f) there is a c s = ( A S ,C S ) with c s c t >. 

By the definition of cands(t , /), every candidate Ct of t can be written as 
Ct = (A t ,Ct) = (A 1 , C'U {(A', t)}) where c t > = (A',C') £ cands(t',f) for 
some elevatable t' . As before, there is only one extra pair in the context. 
Since cands(s, /) y c mul cands(t\f), there is some c s = (A S ,C S ) £ 
cands(s, f) with c s Ct>. 

If As y- mul A' then c s >- c Ct . Otherwise, A s > A' and C s >- C' . Since 
f > g = top(s), (A s ,s) is in C s . Also, this tuple cannot be in C' since 
s )~act and s, therefore, cannot be a subterm of t. Also (A s ,s) y(A t ,t ) 
since s >- a ct- 

Thus cands(s, /) )^J nul cands(t : /) in this case also. 

Using the above lemma, it is easy show the replacement property. 

Property 22 (Replacement), s >- ac t and / £ F implies s' = /(..., s , . . .) >- ac 
/(• =t'. 

Proof. If f ^ Fac, then this follows directly from the multiset comparison. 

If / £ Fac > then by the previous lemma cands(s, /) yj nul cands(t, /). Since 
every argument in s' and t! other than s and t is the same, and cands{s ' , /) (sim- 
ilarly cands(t ' , /)) is simply a component-wise summation of contributions from 
each argument, we have that cands(s ' , /) >~ c mMi cands(t ' , /) and hence s' >- ac t ' . 
Monotonicity is a direct corollary of the replacement property. 

Property 23 (Ground Totality). Let s = f(S) = /(si,...,s n ) and t = 
g(T ) = g(ti,- • t m ) be ground terms, and >- be any total precedence relation 
on F . Then s and t are comparable. That is, s ~ t, or s >~ ac i, or t >- a cS. 

Proof. By induction on ,s + |f|. The basis case is when s and t are constant 
symbols, and this follows from the totality of >~ . Further, when / ^ g or /, g 




56 



Deepak Kapur and G. Sivakumar 



are not in Fac, the proof that s and t are comparable, is the same as in the 
proof of totality of RPO on ground terms. 

When, / = g G Fac , then by Property 16, cands(s, f ) ^ ac cands(t , /). Since 
terms in a candidate of s (t) are strictly smaller in size than s (t, respectively), 
and abs used to compare the first component in the pairs in contexts is total for 
ground terms, s and t are comparable in this case also. 

From the ground totality, we have the following property used later in proving 
that >- ac is stable under substitutions. 

Property 24 (Maximum Candidate). Let s be a ground term. Then s has 
a maximum candidate, i.e. there is c m G cands(s, /) such that c m >~ c c s for any 
c s G cands(s, f) with c s =£ ac c m . 

6 Stability of >- ac 

We first analyze the effect of application of a ground substitution a to a term 
s and the relationship between candidates of s and sa using an example. We 
show how the biggest candidate from a ground substitution of each variable can 
be used to construct the biggest candidate for a(s). To prove that the ordering 
>- ac is preserved under a ground substitution a, we compare cr(s) with a(t) 
by comparing their biggest candidates constructed using the biggest candidates 
of substitutions. Later, we sketch a proof of stability of y ac for an arbitrary 
substitution. 

Consider the term s = i{f{x, x ) with / G Fac and the ground substitution 
a= {x gt} where gt = j(g(a), f(b, c)). 

The term s has only one candidate ({x,x},{({x,x},i(f(x,x)))}). The term 
gt has two candidates c\ t = {{g(a}}, {({g(a}}, j(g(a), f(b, c)))}) and 
c 2 g t = <( a > a}, {({a}, b), ({a}, c), ({a,a},j(g(a),f (b,c))}}}. Note that c\ t > c c 2 gt . 

sa = i(f(j(g(a), f(b,c)),j(g(a), f(b,c)))) has the following four candidates 
(only 3 are distinct). 

Cl = ({g(a),g{a)}, {({g(a)},j(g(a),f(b,c))),{{g(a)},j(g(a),f(b,c))), 

{{g{a), g(a)}, i(f(j(g(a), f(b, c)),j(g(a), f(b, c)))))}) c 2 = ({g(a), a, a}, 
{({g(a)},j(g(a), f(b, c))), ({a}, 6>, <{«}, c), ({a, a},j(g(a), f(b, c))), 

{{g(a),a,a},i(f(j(g(a),f(b,c)),j(g(a),f(b,c)))))}) c 3 = ({a,a,g(a)}, 
i({g(a)},j(g(a), f(b, c))), ({a}, 6>, <{«}, c), {{a, a},j(g(a), f(b, c))), 

({a,a,g(a)},i(f(j(g(a),f(b,c)),j(g(a),f(b,c)))))}) c 4 = ({a,o,a,a}, 
{({a, a},j{g{a), f(b, c))),({a}, b),{{a}, c), ({a}, b), ({a}, c), 

({a, a},j(g(a), f(b, c))>, ({a, a, a, a}, i(f(j(g(a), f(b, c)),j(g(a), f(b, c)))))}> 
Of these four, we say that c\ and c 4 are obtained by uniform replacement since 
they always use the same candidate of gt when handling different occurrences 
of x, while c 2 and c 3 have been obtained by non-uniform replacement. Note also 
that Ci is the biggest candidate of sa, and c 4 uses the biggest candidate c gt of 
the term substituted for x. We formalize this notion below. 

Definition 25 (Parent Candidate). Let s be any term, / G Fac , be any 

ground substitution, and c sa = ( A sa ,C sa ) G cands(sa, /). Let V S a be the posi- 
tions in sa used (where elevations are done) in the derivation of c stT . Let V s be 




Proving Associative-Commutative Termination 



57 



the restriction of V S a to positions in s (i.e. omit any positions not in s). We call 
c s = {A s , C s ) derived using V s as the parent candidate of c sa in s. 



Definition 26 (Uniform Replacement). Let / € Fac and A be any multiset 
of /-blocked terms, i.e., A has only variables, small terms, and terms with top 
symbol bigger than /. Let a = {xi i— > gti} be a ground substitution. Let c 9 t 4 = 
( A gti , Cgti) € cands{gti , /). The multiset A a is obtained by uniform replacement 
by candidates (denoted A a = urep{A, {x^ i— > A gti })) if 

4 — I I / ^-gU if s = Xi for some i 
II_ U I {scr} otherwise 

seA 



Lemma 2 (Argument Substitution). Let A a = urep{A 1 {xi i— > A gti }) where 
A, /, o as in the definition above of uniform replacement. Then {A)o > A a where 
(A)cr = UseA sa - 

Proof. Follows from Property 14 that {gti} > A gti . 

Lemma 3 (Uniform Replacement Candidate). Let s be a term, f £ Fac, 
and a = {x^ i— > gtf} be a ground substitution. Let c s = (A S ,C S ) £ cands{s, f) 
and c gti = ( A gti , C gti ) e cands(gti , /). Let A sa = urep{A s , {xi e-> A gti }) and 

C S a = U {{urep(B, {x^ ^ A gti }), ssa)} 

(B,ss)£C s 



Then c sa = { A sa ,C sa ) (denoted c sa = urep{c s , {xi i— > A gti })) is a candidate of 
so. 



Proof. Since every ss £ A s is at some elevatable position A in s, in so also, A 
is an elevatable position. Because of the way candidates are defined, the above 
replacement of each variable by the candidate derived from its substitution in 
o, the above construction gives a valid candidate for so. 

In the example at the beginning of this section, candidates Ci, C4 are obtained 
by uniform replacement. 

Definition 27 (Maximum Replacement). Let o = {xi 1— > gti} and c 9 t 4 = 
{Ag^, Cgti) = max(cands(gti, /)), the maximum candidate of gti. Then, 
mrep{c s , o) = urep(c s , {xi 1— > A gti }). Similarly, if A is any multiset of /-blocked 
terms, then mrep{A, o) = urep(A, {xi i— > A gti }). 



Lemma 4 (Biggest Candidate). Let so be any ground instance of s using 
some ground substitution o = {x^ 1— > gti}. Let c sa = {A sa ,C sa ) = 
max(cands(so, /)). Let the parent candidate of c sa be c s . Let c m = {A m , C m ) = 
mrep(c s , o) . Then c sa = c m . 




58 



Deepak Kapur and G. Sivakumar 



Proof. By contradiction. Assume c sa ^ c m . This implies that there is at least 
one elevatable position A in s with s/X = Xj a variable and the contribution of 
so / A = gtj to c sa and c m are different. 

Let (A ™ tj , C^.) be the maximum candidate of gtj. By definition of mrep this 
is used to contribute to c rn . Let some other (i.e. smaller) candidate {A gtj ,C gt:) ) 
of gtj be used to contribute to c sa . We can now construct a candidate c' S(J of 
so with c' sa c c sa by keeping all other things the same, but only at position A 
using {A™ tj ,C™ tj ) instead of (A gtj ,C gtj ). 

This contradicts that c sa = max(cands(so, /)). 

Property 28 (Abstraction Property 1). Let / £ Pac > A, B be multisets of 
/-blocked terms, and o any ground substitution. Then fcount(A, /) > 

fcount(B, f) implies fcount(mrep(A,o),f) > f count (mrep(B, o), /). 

Proof, /count (A, f ) > fcount(B, f) implies that Vars(B) C Vars(A ), since all 
non- variable terms have an /count of 1. Also, in mrep , any non- variable term t 
is replaced by to which is also a non- variable with /count of 1. (Note that this 
property is also preserved by the second abstraction abs(A) = /( A ) since s )~ ac t 
implies Vars(s) C Varsit).) 

Property 29 (Abstraction Property 2). Let / £ Pac, A, B be multisets of 
/-blocked terms, and o any ground substitution. Then (/ count{A , /) > 

/count(B, /)) implies /count(mrep(A, o), /) > / count (mr ep(B, o) 7 /). 

Proof. Similar to the previous property. 

Lemma 5 (Ground Stability Property). Let s,t be any terms with s >- ac t. 
Let o = {xi i— > gti} be any ground substitution such that so and to are ground. 
Then so >- ac to . 

Proof We use induction on (\t\, |s|). The base case when t is a variable or 
a constant is easy. So, let s = /(s i , . . . , s n ) and t = g(t \ , . . . , t m ). Consider the 
cases used to show s )~ ac t. In all cases except / = g £ Fac , a straightforward 
use of the inductive hypothesis leads to a proof. 

Consider the case of / = g £ Fac ■ Let c t<7 be the biggest candidate of to. 
Let Ct = (A t ,Ct) be the parent candidate of Ct a ■ Then, ct a = {Ata,Cta) = 
mrep(ct, o). Since s >- ac t , we must have a candidate c s = ( A S ,C S ) of s with 
c s >- Ct- Let c sa = (A scr , C sa ) = mrep(c s , o) be the biggest candidate of so. We 
prove c sa 'Cc Ct a by considering the cases used to show c s >~ c Ct- 

1. A s )~acAt- Without loss of generality, we assume A s n A t = 4> for common 
terms make the same contributions to A sa and A ta which are obtained by 
maximum replacement in A s and A t respectively. 

Consider tt £ A t — A s . Since A s £ A t , we must have ss £ A s — A t with 
ss >- ac tt. Also, ss is not a variable since x t for any t. Hence sser € 
A sa . By induction, sso >- ac tto. If tt is not a variable then tto is itself the 
contribution of tt to A ta = mrep(A t ,o). If tt is a variable Xi, then also 
{tto} = {gti} > A gti . Hence ss makes a bigger contribution to A sa than tt 
does to A u j. Thus A scr >~ A ta . 




Proving Associative-Commutative Termination 



59 



2. ( A s y ac A t ) and C s yC t : As in the previous case, A sa = mrep(A s ,o) > 
mrep(A t , o) = A ta from A s > A t , since all terms in A s and A t are strictly 
smaller in size than s and t respectively. If A scr y A ta we are done. So, let 
A scr = A t(T (since these are multisets of ground terms) . 

We now show C sa y C ta ■ Note that C sa ( C ta ) is constructed using maximum 
replacement in C s ( C t ). Let ( A , tt ) € C t — C s and ( A , ss) € C s — C t be the 
pair such that ( abs{A s — B),ss) y(abs(A t — A),tt). 

By the definition of uniform replacement, C sa includes ( mrep{B,o),sso ) 
whereas C tG includes (mrep(A, o) , tto) . By Property 29, 
fcount(mrep((A s — B), o), f) > f count (mrep((A t — A), o), f) since 
fcount((A s —B), f) > fcount((A t —A),f). If f count(mrep((A s —B) , a) , f) > 
f count (mrep(( A t — A), a), /), then we are done. 

If fcount(mrep((A s — B),a),f) = f count (mrep((A t — A),a),f), then 
ssa y ac ttcr by induction since ss y ac tt. 

So, we have C sa y Cta- 

Since Cta = mrep(t, a) is the biggest candidate of fa, and c sa y c Cta we have 
scr y ac ta. 

Theorem 30 (Stability Property). Let s,t be any terms with s y ac t, and 
<j = {xi i— > ti} be any substitution. Then sa y ac t(J. 

Proof. (Sketch) 

It is easy to see that any substitution o can be written as a sequence (com- 
position) of simple substitutions of the form o = {x y} and <j = {x 
h{zi, ■ ■ ■ , Zk)}, where h is a function symbol of arity k > 0. It thus suffices to 
prove that y ac is preserved under these two kinds of substitutions. 

The stability proof for o = {ih y} follows easily by case analysis guided 
by the definition of y ac . The proof for a = {x i— > h{z \ , • • • , Zk)} is interesting 
especially for the case when / >- h, where / £ F ac , as different occurrences of 
x in s, t can lead to many different candidates in scr and to; other cases can be 
easily considered by case analysis. 

We consider the case of / y h. For every candidate of s (and t) in which 
x appears uniquely in the Arguments component, k candidates are generated 
in so (and to), one for each argument Zi. Given s y ac t, for every (uncommon) 
candidate of t, there is a bigger candidate of s; then for every corresponding 
candidate to, it is possible to find a bigger candidate of so. Unlike in the proof 
of ground stability, the concept of biggest candidate cannot be used since terms 
with variables are being considered, and we cannot compare a candidate due to 
the argument z\, for instance, with a candidate due to the argument Zi of h. 
If x occurs many times in the Arguments component of candidates of s and t, 
even then for every corresponding candidate of to in which different arguments 
of h(zit • • • , Zk) may be used for different occurrences of x, a bigger candidate of 
so can be suitably constructed. 




60 



Deepak Kapur and G. Sivakumar 



7 Conclusion 

We have discussed an RPO-like scheme for defining a well-founded ordering on 
AC-equivalent terms. The scheme works for general terms (including non-ground 
as well as ground terms) . If the precedence relation on function symbols is total, 
then the scheme defines a total well-founded ordering on AC-equivalent ground 
terms. Distributivity axioms can be oriented in the proper direction by making 
x * (y + z) > (x * y) + (x * z) when both * and + are AC operators and * > +. 
Orderings defined using this scheme can be easily implemented. 

The proposed scheme is general and it simplifies the definitions in our earlier 
paper [7], even though the basic concepts of candidates and constructions for 
generating candidates in the two papers are related. In fact, it was our attempt 
to simplify the definition in [7] and related insight leading to the proposed def- 
inition. Three different orderings for the same precedence relation on function 
symbols are discussed. They all first compare terms by first ignoring symbols 
smaller than AC operators. In case that is not sufficient to compare terms, sub- 
terms with smaller symbols which get elevated and their contexts are compared 
(in the reverse order). The orderings differ in how these contexts are compared. 

To define candidates and for elevation, it is required that every AC function 
symbol should be comparable with other symbols in the precedence relation. In 
this sense, the precedence relation on function symbols need not be total, insofar 
as the requirement to have a total ordering on ground terms is relaxed. 

A weakness of the proposed ordering scheme is that unlike in the case of 
RPO for non-AC ground terms, it is not possible to define a family of order- 
ings by incrementally adding precedence on function symbols. It is unclear how 
to generalize the concept of a candidate if precedence relation between an AC 
symbol and other symbols is unknown. 



References 

1. Bachmair, L., and Plaisted, D.A. (1985): Termination orderings for associative- 
commutative rewriting systems. J. Symbolic Computation, 1, 329-349 

2. Ben Cherifa, A., and Lescanne, P. (1987): Termination of rewriting systems by 
polynomial interpretations and its implementation. Science of Computer Program- 
ming, 9, 2, 137-160. 

3. Delor, C., Puel, L. (1993): Extension of the associative path ordering to a chain of 
associative commutative symbols. Proc. of 5th Inti. Conf. on Rewrite Techniques 
and Applications (RTA-93), LNCS, Springer- Verlag, 389-404. 

4. Dershowitz, N. (1987): Termination of rewriting. J. Symbolic Computation, 3, 69- 
116. 

5. Gnaeding, I., and Lescanne, P. (1986): Proving termination of associative- 
commutative rewriting systems by rewriting. Proc. of 8th Inti. Conf. on Automated 
Deduction (CADE-8), Oxford, LNCS 230 (ed. Siekmann), Springer Verlag, 52-60. 

6. Kapur, D., and Sivakumar, G. (1995): Maximal extensions of simplification or- 
derings. Proc. of 15th Conf. on Foundations of Software Technology and Theoreti- 
cal Computer Science (ed. Thiagarajan), Bangalore, India, Springer Verlag LNCS 
1026, 225-239, Dec. 1995. 




Proving Associative-Commutative Termination 



61 



7. Kapur, D., and Sivakumar, G. (1997): A total ground path ordering for proving 
termination of AC-Rewrite systems. Proc. Rewriting Techniques and Applications, 
8th Inti. Conf., RTA-97, Sitges, Spain, June 1997, Springer LNCS 1231 (ed. H. 
Comon), 142-156. 

8. Kapur, D., and Sivakumar, G.: A recurive path ordering for proving associative- 
commutative termination Technical Report, Department of Computer Science, 
State University of New York, Albany, NY, May 1998. 

9. Kapur, D., Sivakumar, G. and Zhang, H. (1995): A new ordering for proving ter- 
mination of AC-rewrite systems. J. Automated Reasoning, 1995. 

10. Kapur, D., and Zhang, H. (1995): An overview of Rewrite Rule Laboratory (RRL). 
J. Computer and Mathematics with Applications, 29, 2, 91-114. 

11. Lankford, D.S. (1979): On proving term rewriting systems are Noetherian. Memo 
MTP-3, Lousiana State University. 

12. Narendran, P., and Rusinowitch, M. (1991): Any ground associative commutative 
theory has a finite canonical system. In Book, R. (ed.) Proc. of flh Inti. Conf. on 
Rewrite Techniques and Applications (RTA-91), LNCS 488, 423-434. 

13. Rubio, A. (1997): A total AC-compatible ordering with RPO scheme. Technical 
Report, Technical Univ. of Catalonia, Barcelona, Spain. 

14. Rubio, A., Nieuwenhuis, R. (1993): A precedence-based total AC-compatible or- 
dering. In Kirchner, C. (ed.) Proc. of 5th Inti. Conf. on Rewrite Techniques and 
Applications (RTA-93), LNCS Springer- Verlag, 374-388. 

15. Steinbach, J. (1989): Path and decomposition orderings for proving AC- 
termination. Seki-Report, SR-89-18, University of Kaiserslautern. See also “Im- 
proving associative path orderings,” in: Proc. of 10th Inti. Conf. on Automated 
Deduction (CADE-10), Kaiserslautern, LNCS 449 (ed. Stickel), 411-425. 




Decision Procedures and Model Building 

or 

How to Improve Logical Information in 
Automated Deduction 



Alexander Leitsch 



Institut fiir Computersprachen 
Technische Universitat Wien 
Karlsplatz 13, 1040 Vienna, Austria 
leitschOlogic . at 



1 Introduction 

The field of automated theorem proving is about 40 years old. During this time 
many new logic calculi were developed which thoroughly reshaped the discipline 
of deduction. The key feature of these calculi, in contrast to the “traditional” 
logic calculi, is efficient mechanizability. Instead of proof transformation (as in 
classical proof theory) proof search became the main issue. Programs searching 
for proofs of theorems formalized in some logical syntax are commonly called 
theorem provers. Thus most of the existing theorem provers can be considered 
as (deterministic) implementations of (nondeterministic) calculi: in fact their ac- 
tivity essentially consists in production of deductions till a proof (or a refutation) 
of the theorem under consideration is eventually found. In order to be useful the- 
orem provers must (at least) be efficient, sound and complete. While soundness 
is absolutely mandatory, completeness may (in specific circumstances) sacrificed 
for higher efficiency. The first calculus which fulfilled all three requirements de- 
fined above was Robinson’s resolution [21]. For a long time, particularly in the 
seventies and eighties, increasing efficiency under preservation of soundness and 
completeness was virtually the only goal in the field of automated deduction. 
This was the time where most of the refinements of resolution, tableaux- and 
connection type calculi and equational calculi were developed. Only few papers, 
in particular those of S.Y. Maslov and W.J. Joyner, addressed the logical qual- 
ity of theorem provers, i.e. the amount of logical information they are capable 
to produce. The inverse calculus invented by S.Y. Maslov [16] was not just a 
new computational calculus; besides being complete the calculus could be put 
to use as decision procedure for the so-called K-class, a decidable first-order class 
properly containing the Skolem class. In fact the inverse calculus serves several 
purposes: 1. it is a general first-order theorem prover, 2. it terminates on K thus 
deciding the satisfiability problem for this class and 3. it is a metatheoretic tool 
to prove decidability of a first-order class. In particular the work of Maslov shows 
that, instead of proving provable theorems only, a calculus can be used to show 
that sentences are not derivable! A related approach of W.J. Joyner [11] is based 



R. Caferra and G. Salzer (Eds.): Automated Deduction, LNAI 1761, pp. 62—79, 2000. 
(c) Springer- Verlag Berlin Heidelberg 2000 




Decision Procedures and Model Building 



63 



on resolution; in fact he demonstrated that “ordinary” resolution provers based 
on ordering refinements of resolution can be used as decision procedures for some 
important well-known (decidable) first-order classes. In his approach - like in this 
of Maslov - a theorem prover, instead of producing proofs of provable theorems 
only, is used as consistency checker in a systematic manner. The merit of Maslov 
and Joyner consists in the observation that termination of a calculus is as im- 
portant as completeness. Note that, if a calculus is used as decision procedure, 
completeness is necessary - otherwise it is not sound! Due to the undecidability 
of first-order logic no sound and complete theorem prover can terminate on all 
input problems. But the systematic investigation where it terminates may help 
to improve the quality of inference systems: instead of using one fixed refinement 
of a calculus on all problems, a syntax check may yield membership of the prob- 
lem to a decidable class; the corresponding decision procedure can then be used 
as a theorem prover. The requirement of termination is of particular importance 
in an interactive inference environment: frequently a problem is incompletely 
specified resulting in a nonprovable sentence; “blind” inference most probably 
yields nontermination and, consequently, no information. 

Suppose that a complete resolution refinement terminates on a set of clauses 
C without producing the empty clause. All we know is that C is satisfiable, 
but we also want to know why\ The answer must, of course, be a model of C. 
In the first moment it seems to be absurd to ask for a model, after we have 
selected a method which just avoids production of models; in fact, resolution 
decision procedures merely produce sets of clauses, which - in case of satisfiability 
- only show the nonderivability of a contradiction. Nevertheless the produced 
sets (fixed points under the deduction operators) can sometimes be used to 
produce representations of Herbrand models in a purely deductive way. Therefore 
the construction of models can be considered as an end point of a deductive 
procedure. Note that model building as a postprocessing on termination sets 
differs from the method of search through finite domains. The former method 
is symbolic, while the latter one is semantic and, in some sense, “numeric”. 
Although finite domain search is fruitful to many purposes, it clearly fails in 
cases where finite models do not exist. We will even demonstrate that, for some 
decision classes, the resolution decision method can be easily extended to a model 
building method on the corresponding termination sets. Thus some inference 
systems can be considered as provers, decision procedures and model building 
methods; in particular this holds for hyperresolution and (in case of equational 
clause logic) for positive resolution + ordered paramoclulation. 

The purpose of this paper is not to present new results on decision procedures 
and model building, but rather to discuss the corresponding potential of current 
inference systems in general and point to open problems, possible improvements 
and extensions of the methods. First of all we illustrate that ordinary theorem 
provers can do much more than just the task they were designed for. Besides of 
only deriving □ out of unsatisfiable sets of clauses, many traditional methods 
can act as decision procedures and even model generators; it is a matter of 
mathematical analysis to characterize the syntax classes where this additional 




64 



Alexander Leitsch 



logical information can be produced. Then we point out the limitations of the 
traditional deductive methods concerning termination and model building. The 
extension of the clause syntax via equational constraints and the introduction 
of disinference rules, as applied in the model builder RAMC [5], is one of the 
successful methods to increase the semantic potential of theorem provers. But 
still there are many types of models which cannot be constructed via equational 
constraints. We point out that metaterms might be an adequate tool for a further 
improvement of decision procedures and model building. 

Generally we emphasize the need for more intelligent and not only for faster 
theorem provers. Indeed a theorem prover can be more than just a deterministic 
implementation of a logic calculus. It is a firm belief of the author that the sys- 
tematic analysis of logical information (e.g. satisfiability and (counter-)models) 
will not only lead to more intelligent inference systems, but - in the long run - 
also to faster ones. 

2 Notation and Definitions 

A set of literals A subsumes a set of literals B if there exists a substitution 9 s.t. 
Ad C B (we write A < ss B). We define a clause as a condensed set of literals; a 
set of literals V is called condensed if there exists no proper subset V of V s.t. V 
subsumes V . For example {P(x,a),P(a, x)} is condensed and thus is a clause; 
V = {P(x, a),P(a, a)} is not condensed because it subsumes {P(a, a)}; {P(a, a)} 
is called the condensation of T>. Clauses are written in form of disjunctions, thus 
P(x, a) V P(a, x) stands for {P(a, x),P(x, a)}. We choose the condensed clause 
form in this paper because it is frequently needed for termination of resolution 
decision procedures. For details concerning condensing and termination we refer 
to [13] and [7]. The positive part of a clause C is denoted by C + , the negative 
by C-. If C is a set of clauses we write P(C) for the subset of positive clauses in 
C. By sub(C ) we denote a subsumption-reduced subset V of C, where V is called 
subsumption reduced if for all D 2 £ V with D\ < ss D 2 it follows that D\ = 

d 2 . 

We write var(P) for the set of variables occurring in an expression or a set 
of expressions E. t(E) denotes the term-depth of E and r max (x, E) the maximal 
depth of an occurrence of the variable x in E. 

Substitutions are usually applied in postfix form and mgu stands for the most 
general unifier. 

Resolution is defined as in [21]. For a formal definition of a resolution refine- 
ment see [13]. For every resolution refinement x we define an operator R x s.t. 
for every clause set C 

R X {C) =C U p x {C) 

where p x is the set of all x-resol vents definable by clauses in C. For hyperresolu- 
tion the corresponding operator is denoted by Rh ■ If R x is a resolution operator, 
the deductive closure is defined as 

K(Q = U ^(C). 

*eiN 




Decision Procedures and Model Building 



65 



Herbrand models T of a set of clauses C are usually denoted by the set of 
ground atoms over the signature of C which are true in r. 



3 Theorem Provers as Decision Procedures 

Due to the undecidability of first-order logic, all correct and complete theorem 
provers are nonterminating on some classes of formulas. In case of resolution 
theorem proving on clause logic, every complete refinement of resolution is non- 
terminating on some (infinite) class of satisfiable clause sets. Of course this does 
not mean that, typically, refinements are nonterminating on all satisfiable sets of 
clauses. In fact even unrestricted resolution terminates on satisfiable problems 
like 

C: {->P(x,f(x)), P(f(y),y) V ->Q(y), Q(a)}; 

here the only new clause derivable by resolution is P(f(a), a). Thus, by running a 
theorem prover, we may hope that, besides producing refutations of unsatisfiable 
clause sets, it will terminate (by chance) on satisfiable problems. At this point 
two questions arise: 

(1) Should the typical inputs to resolution provers be unsatisfiable clause sets, 
i.e. is it realistic to assume satisfiability? 

(2) Is it possible, without sacrificing efficiency, to improve the behavior of 
provers on satisfiable sets? 

There is no trivial answer to question (1); satisfiable sets can be avoided alto- 
gether if we know in advance that the original problem A (where —*A has been 
transformed into clause form) is provable. But in this case we may ask, whether 
automated theorem proving should be focused on problems having well-known 
proofs. Suppose we admit that, in a realistic environment, there is no guaran- 
tee for the provability of A. Still we need not care about termination: We just 
apply different refinements and wait till some of them yields a solution; if all 
attempts to prove the theorem fail, we may try to find a finite model of C by 
exhaustive search through finite domains. We will try to show in this section 
that, in contrast to the approach defined above, there is a systematic way to 
improve termination of theorem provers - without inventing fancy refinements 
or expensive transformations. We will demonstrate that some part of theorem 
proving can be shifted from a purely experimental to a mathematical level and 
thus give a positive answer to question (2). Indeed many decidable subclasses 
of clause logic are (a) defined by simple syntactic criteria and (b) decidable by 
“ordinary” resolution refinements. 

Example 1. Let C be the set of clauses 

{P(a), ->P(x) V P(f(x)), -nP(c)}. 

C is a clausal form of the negation of the sentence 



A : [. P(a ) A (Wx)(P(x) =* P(f(x)))) =► (Vy)P(y), 




66 



Alexander Leitsch 



representing an “induction” axiom for P. Clearly A is not valid and thus C 
is satisfiable. Unrestricted resolution and positive resolution (coinciding with 
positive hyperresolution in this example) produce the infinite set of clauses 
(P(/"(a)) | n > 1} and thus do not terminate on C. On the other hand, neg- 
ative (lryper-)resolution and ordered resolution (based on a depth-ordering) do 
terminate. Indeed, negative resolution (one of the resolved clauses must be neg- 
ative) does not produce any resolvent on C. Moreover, in any “reasonable” atom 
ordering we have P(x) < P(/(x)), which - according to the ordering restriction 
- prevents the production of the resolvent P(f(a)). 

The set of clauses C defined in example 1 belongs to different decidable classes 
discussed in [7]. In particular it belongs to the class VA1ZT : {C | (VC £ 
C)|var(C)| < 1}, the set of all finite clause sets containing only clauses with 
at most one variable; VA1ZT is decidable by ordered resolution. The required 
ordering is just 

A <d B iff (1) t{A) < t{B) and 

(2) r max (x, A) < r max (: r, B) for all x £ var(A). 

(see [6] and [13]). Note that the ordering refinement has to be applied a posteriori, 
i.e. the resolved atom under the most general unifier of the resolution may not be 
smaller than a literal in the resolvent. In the example above the resolvent of P(a) 
and P(x) V P(f(x)) is blocked because the mgiL is {a: <— a} and P(a) <d P(f(a)). 

Thus we know how i? <d behaves on VA1ZT and recommend the following 
simple recipe: Test whether the input set C is in VATZ1. If so then apply R <d 
(we know it will terminate for sure); if not then we may try to locate C in another 
decision class; if also this fails we may apply an arbitrary refinement. 

We have seen in Example 1 that negative hyperresolution terminates on 
C, while the positive one does not. There is a syntactic property behind this 
phenomenon expressed in the decision classes WD and WD + . 

Definition 1. A (finite) set of clauses C is in WV + if for all clauses C in C: 

(1) var(C+) C var(C_), 

(2) Trnax (x, C+) < x ma x(x, C_) for x £ var(C+) . 

Roughly spoken, C £ WV + if, in all clauses of C, the positive part is 
“smaller” than the negative one (resulting in positive ground clauses and arbi- 
trary negative clauses). It is shown in [14] and [7] that positive hyperresolution 
terminates on WD + . The class WD generalizes WD + under sign-renaming: 

Definition 2. C £ PVV if there exists a sign-renaming rj with rj(C) £ WV + . 

Clearly the set C : {P(a), ~>P(x) V P(f(x)), ^P(c)} is not in WV + , but 
it is in WD: just apply the sign-renaming 77 : {P 4— -.p, ^P 4— P}. As a conse- 
quence, hyperresolution terminates on 77(C) : (PP(a), P(x) V ^P(/(x)), P(c)}. 
This example shows that, in classifying a set of clauses, we might need some 
transformations on sets of clauses (like renaming). Although the test for an ap- 
propriate renaming w.r.t. WD is NP-complete (see [4]) it is relatively cheap 




Decision Procedures and Model Building 



67 



if few predicate symbols occur in the problem. The class VVD exemplifies the 
following principle: 

Try to transform a set of clauses C into a set of clauses D s.t.V is mem- 
ber of a (well-known) decidable class and can be handled by an efficient 
refinement. 

In [14] a more general setting for sign-renaming and termination for hyper- 
resolution is discussed: instead of term-depth any other atom complexity measure 
can be applied. In general we may think of a prover generator which, after some 
syntactic analysis, selects a refinement automatically. The syntactic criterion 
given by resolution decision theory addresses termination. If we succeed to lo- 
cate C (or a corresponding transformed set T>) in a decidable class T, where 
T is decidable by the resolution operator Rr, then compute R* r (C). Of course 
this choice will not always minimize the computing time. On the other hand it 
is a good choice in the sense of logical information; eventually we will find out 
whether C is satishable or not. Anyway, experiments in [7] indicate that resolu- 
tion decision procedures behave well - also in practice; as a direct consequence 
of termination, decision procedures typically generate small and shallow clauses 
(at least on the decision class). Looking upon Example 1 we might suggest a 
much simpler procedure for attacking the problem. We observe that there exists 
a two-element model of C with domain {a, c} and an interpretation function T> 
defined by <P(f)(d) = a, <P(f)(c) = c, <P(P)(a) = t, <P(P)(c) = f. Then, why not 
adopt the following procedure: 

(*) Run a theorem prover in parallel with a finite model generator. 

The advantage of (*) is twofold: (a) it is easy to implement and (b) it yields 
more information (even a model) in case of satisfiability. On small domain size 
(roughly < 5) the method will be reasonably efficient, although - in contrast to 
resolution decision procedures - it strongly depends on the arity of predicate- 
and function symbols. So far the author does not know a systematic experimental 
comparison of these two approaches. The question remains whether, in principle, 
the methods differ in strength. In case that C is satishable but does not have 
finite models, (*) is clearly inappropriate (unless the prover itself acts as a logical 
decision procedure). This directly leads to the question: 

Can resolution decision procedures terminate on sets of clauses not hav- 
ing finite models? 

The answer is YES (traditional symbolic methods can solve problems unsolvable 
by (*)). Just take the following example (M. Baaz 1996, see [9]): 

Example 2. 



C: {P(x,x), ^P(f(x),f(y))VP(x,y), ~^P(c,f{x))}. 

It is easy to see that C is satishable but does not have finite models. Moreover, 
hyperresolution and <d-resolution both terminate on C (without producing any 




68 



Alexander Leitsch 



new clause) and thus detect satisfiability. If the principle (*) is realized by finite 
model generation with (a) negative (lryper-)resolution or with (b) linear resolu- 
tion (with top-clause ~^P(c, /(&))), it is nonterminating on C and thus fails. 

Sometimes termination can only be achieved by techniques which may reduce 
efficiency. One such method is the so-called “saturation” where instances of 
clauses are generated which cannot be obtained by most general unification. In 
particular saturation is used to obtain termination of resolution refinements on 
the Bernays Schonfinkel class and on the class 5+ (see [7]). From some point on 
there is a clear trade-off between logical information and efficiency: extending 
the range of termination may lead to a deterioration of efficiency on unsatisfiable 
sets of clauses. It then depends on our priorities whether we use the faster or 
the stronger method. 

As we should expect, the situation becomes more complex in presence of 
equality. First of all, many classes (like VAIZT and VVT>) become undecidable 
under admission of equality. Moreover equational inference methods like super- 
position and paramoclulation are much more “fertile” than resolution and thus 
are hard to control. However there are some nontrivial classes where decision 
procedures based on resolution + ordered paramoclulation or on the superposi- 
tion calculus can be defined. We just mention the Ackermann class + equality 
[8], the monadic class + equality [1] and the class WVJ (i.e. the class VVD with 
equality where all equational atoms are ground) [10]. Thus, also in equational 
clause logic, it is possible to systematically design calculi with a better behavior 
w.r.t. termination. 

4 Extraction of Models 

In section 3 we have shown how to improve the termination behavior of resolu- 
tion theorem provers. It is fair to mention here that resolution is not the only 
computational method which is capable of deciding classes and building mod- 
els. There exists corresponding research for semantic tableaux [12], constrained 
semantic tableaux [19] and hyper-tableaux [2]. It is just for the sake of clarity 
and simplicity that we focus on resolution and related methods, although many 
similar phenomena also occur in other computational calculi. 

So let us assume that a resolution refinement R x terminates on a set of clauses 
and yields the (finite) set R X (C) with □ ^ f?*(C). Although we know that C is 
satisfiable we are not yet in the position to specify a single model of C. We also 
know that there must be a Herbrancl model of C, but there may be infinitely 
many ones and we do not know how they are described by R*(C). In fact it 
turns out that the problem of extracting a single model out of R* X (C) strongly 
depends on the refinement R x . While it is difficult for ordering refinements, it 
is relatively easy for hyperresolution, which - already by its design - is a model 
building procedure in principle. Thus, for illustrating model extraction, it is most 
convenient first to focus on hyperresolution. 

If hyperresolution terminates on a set of Horn clauses C then P(R* H (C)), the 
set of all positive unit clauses in the deductive closure, “directly” represents a 




Decision Procedures and Model Building 



69 



Herbrand model. Indeed the minimal Herbrand model is just defined by the set 
of all ground instances of P(R* H (C)) over the Herbrand universe of C. Computa- 
tionally this makes sense only if the set P(R* H (C)) is finite. 

Definition 3. Let C be a set of Horn clauses and V = P(R* H (C)); ifV is finite 
we call it an atomic representation of the Herbrand model defined by the set of 
ground instances of V over the Herbrand universe of C. 

Atomic representations enjoy several favorable properties: 

(1) uniqueness, 

(2) there are algorithms for evaluating (arbitrary) clauses over the representa- 
tions and 

(3) the equivalence of representations is decidable. 

We believe that at least properties (1) and (2) should hold for any computa- 
tional model representation. After the definition of basic algorithms in [9] solving 
1. and 2. more efficient methods have been defined in [20]. 

Example 3. Let C be the set of clauses 

{P(a), -,P(x) V P(f(x)) t -P(c)}. 

Rh does not terminate on C, although (of course) the infinite set P{R* H (C)) : 
{p(/n( a )) | n g j\jj represents a minimal Herbrand model of C. But C £ WV 
via the sign renaming 77 : {P <— ->P, —>P 4— P} and we obtain 

C V = {P(c),-iP(f(x)) V P(s),-.P(o)}. 

After this transformation we get R* H (Crj) = Cp and thus {P(c)} is the atomic 
representation of a (minimal) Herbrand model of Crj. But note, we are interested 
in a model of C and not of C77! Clearly the interpretation P, defined by 

vr(P(t)) = t iff t is a ground term different from c, 

is a Herbrand model of C (although not a minimal one!). However it is not 
trivial (and in general impossible) to obtain an atomic representation of P ; here 
it works and we get A : {P(a), P(f(x))} as atomic representation of P. Note 
that P(c) is the only ground P-atom which is not an instance of an atom in A 
(over E = {a, c, /}). 

Already the simple example above indicates that constructing a model may 
be sophisticated, even if deciding satisfiability is trivial. In general a set of Horn 
clauses C in WV might “need” some sign-renaming 7 s.t. C7 € WV. But, 
in contrast to the example above, C7 need not be a set of Horn clauses; thus, 
although Rh terminates on C7 it need not produce an atomic representation of a 
model. However, for the well-known decision classes of hyperresolution like WV 
and OCCXJV ', models can be extracted by adding subsumption and a selection 
operation to hyperresolution [9] . 




70 



Alexander Leitsch 



Example 4 - Let C be the set of clauses 

{P(/(a),a) V P(/(6),a), ->P(f(x),a)VP(x,a), ->P(f(x),x)V~>P(x,x)}. 

C is in WT> but it is essentially non-Horn, i.e. Crj is non-Horn for every sign- 
renaming 77. But, in this case, C can be split into two sets of Horn clauses 

c i = {-P(/(a), a), ->P(f(x), a) V P(x, a),->P(f(x),x) V ->P(x, a;)} and 
Ci = {P(f(b), a), ->P(f(x), a) V P(x, a},->P(f(x), x) V ->P( x, x)}. 

C 1 and C2 are both in VVD+, but C\ is unsatisfiable and C2 is satisfiable (there- 
fore, of course, C is satisfiable). Thus splitting makes backtracking necessary. 
If there are more positive non-unit ground clauses splitting itself may become 
quite expensive. Moreover there are sets in VYD which cannot be transformed 
to Horn via splitting at all. 

Let us construct the closure R*h(C) of C itself under hyperresolution. Then 
we obtain the set 

R* h (C) = C U {P(f(b),a) V P(a, a), P(f(a),a) V P(b, a), 

P(a, a) V P(b, a), P(b,a), P(f(b),a)}. 

Even now splitting can be defective if we select P{a 1 a) out of the first and 
P(f(a),a) out of the second clause. But splitting is superfluous as all the non- 
unit clauses are subsumed by the unit clauses in R* H (C). After subsumption the 
remaining set of clauses is 

sub(R* H (C)) = {P(b,a), P(f(b),a), ->P(f(x),a)V P(x,a), 

^ P{f{x),x ) V ->P(x,x)}, 

which is also deductively closed under Rh ■ Consequently the set of positive 
clauses A : {P(b,a), P(f(b),a)} is an atomic representation of a Herbrand 

model of C. 

Example 4 suggests that splitting can be replaced by deductive closure un- 
der Rh and subsumption. It also shows that by omitting subsumption wrong 
alternatives are still available. In general it may be the case that, even after 
application of Rh and subsumption, positive non-unit clauses remain in the set. 
Then, instead of splitting, we may select an atom out of a positive clause, delete 
the original clause and iterate the procedure. 

Example 5 . Let C be the set of clauses 

{P{a) V P(f(a)), -P(x)V-P(/( *))}. 

Here we have sub{R* H {C)) = C and we don’t obtain positive unit clauses at once. 
But we may select both P(a) or P(/(a)) out of the first clause of C; the resulting 
clause sets are 



Ci = {P(a)^P(x) V -P(/(z))} and C 2 = {P(/(a)), nP(i) V -P(/(x))}. 




Decision Procedures and Model Building 



71 



Both C i and C 2 are satisfiable and deductively closed under Rh ; the corre- 
sponding atomic representations of Herbrand models are A\ : {P(a)} and A 2 : 

We have seen that subsumption plays an important role in constructing 
atomic representations. Thus instead of the operator Rh we need hyperreso- 
lution + replacement [13] defined by 

Rht{C) = sub(RH{C)). 

In contrast to Rh , the operator Rn r is not monotone, i.e. C C Rh t (C) does not 
hold in general. By the completeness of Rn r (see [13]), for every unsatisfiable set 
C there exist an i s.t. □ € R l Hr (C) and thus (by definition of Rht) R l Hr (C) = {□} 
(note that every clause is subsumed by □). We may say that, on unsatisfiable 
sets of clauses C, the replacement sequence (R l Hr {C))i<z\ n converges to □. On 
satisfiable sets of clauses the behavior of replacement sequences may be quite 
complicated. Fortunately on many decidable classes (like WV) we can guarantee 
that there exists always a number i with R l Hr (C) = R l ^{C)\ we then say that 
{R l Hr {C))i<z^ converges to R l Hr {C) and denote that latter set by R* Hr (C). There 
are ways to define the closure under replacement operators in general, but we do 
not need it here (we are only interested in working with finite termination sets) . 

We have seen in Example 5 that Rnr has to be combined with a function 
selecting atoms out of positive clauses. 

Definition 4. Tin atom selection function is a function which maps sets of 
clauses into sets of clauses with the following properties 

(1) a(C) = C if all positive clauses in C are unit and, otherwise, 

(2) a(C) = (C — {C}) U {A} for a nonunit positive clause C £ C and an atom 
A in C . 

Now closure and selection can be combined in a single operator which may 
serve as key transformation for the model building procedure. 

Definition 5. Let a be an atom selection function; then the operator T, defined 
by 

T(C) = a(R* Hr (C)) 

is called an mbh-operator (corresponding to a). 

In general the application of a (even to deductively closed) sets of clauses is 
incorrect (it may produce unsatisfiable clause sets out of satisfiable ones)! The 
following class defines the range of applicability for the transformations T and 
a: 

Definition 6. VVC (positively disconnected) is the set of all sets of clauses C 
with the properties 

(1) R* h (C) is finite and 




72 



Alexander Leitsch 



(2) If C is a positive clause in R* H (C) and L,M are two different literals in C 

then var (L) D var(M) = 0. 

Note that condition (2) alone would generalize Horn logic and thus yield an 
undecidable clausal class. The decision classes VVT> and OCCXN for hyperres- 
olution belong to VVC. In [9] the following general result is proven: 

Theorem 1. Let T be an mbh-operator. Then (T l (C))jgiN is convergent for all 
C £ VVC. The limes T k (C) is either the set {□} (then k — 1) or a nonempty 
finite satisfiable set of clauses C s.t. all positive clauses in C are unit; the set of 
these unit clauses then is an atomic representation of a Herbrand model of C. 

The principle of computation via iteration of T is correct even under more 
general conditions: if a only selects atoms out of ’’disconnected” clauses (i.e. 
clauses fulfilling (2) above) then the computation (T*(C)) ie ]N is correct; but we 
do not know whether it will terminate and, in case it terminates, whether all 
positive clauses in the resulting set will be unit (if not, we do not get an atomic 
model representation) . 

The situation becomes much more complex under resolution decision opera- 
tors different from hyperresolution. The following example of a satisfiable set of 
clauses is quite famous in the area of automated model building: 

Example 6. 

C = {P(x) V P(f(x)), ^P(x) V -P(/0 *))}. 

C is a clausal form of the formula (\/x)(P(x) <-> -> P{f(x ))). It is easy to see that 
C has two Herbrand models with the set of true atoms being Ai = { P(f n (a)) \ 
n even } and A 2 = { P(f n (a)) \ n odd } for some constant symbol a. Moreover 
there exists a finite model with two elements. 

It is easy to verify that hyperresolution, even under sign-renaming, does not 
terminate on C. Moreover none of the two Herbrand models can be represented 
by a (finite) atomic representation. Using the <d-ordering defined in Section 3 
we simply obtain 

R* <d (C)=CU{P(x)V^P(x)}. 

If we refine R< d by deletion of tautologies (which preserves completeness) then 
nothing new at all is derived; anyway, the tautology does not provide any useful 
information. Thus R <d essentially reproduces the set of clauses giving us the 
information of satisfiability but nothing about models. 

In [25] and [7] a symbolic method of finite model building is defined which 
covers the Ackermann- and the monadic class (and thus also Example 6). Ba- 
sically the method orients ground equations between elements of the Herbrand 
universe and uses the corresponding rewrite rules for narrowing on termination 
sets of an ordering refinement. The method is too sophisticated to be presented 
in detail here, but it can be demonstrated on the set of clauses from Example 6: 

Suppose that we search for a model fulfilling the term equation /(a) = a. Ori- 
enting this equation results in the rewrite rule R : f(a)-^a. Narrowing (see 




Decision Procedures and Model Building 



73 



[24]), based on R, terminates on C and yields the set 

C : CU{P(o),nP(a)}. 

which is unsatisfiable, a fact which is trivial here but is detected by the ordering 
refinement in general. Thus clearly there is no model over the Herbrand universe 
fulfilling the equation f(a) = a. The next attempt, however, is successful. We 
try the equation /(/(a)) = a which gives the rewrite rule R' : /(/(a)) — > a. 
Narrowing on C by R' gives the set 

C"=C U {P(f(a)) V V -P(a)} 

which is satisfiable. Because, over the Herbrand universe, the elements a and /(a) 
are the only normal forms under R' we know that there exists a two-element 
model of C with domain {a, (3} and an interpretation ip of / with ip(a) = (3 
and ip(/3) = a. Still the interpretation of the predicate symbol P has to be 
defined. Tammet’s method only produces the domain and the interpretation of 
the function symbols (which, in general, is the harder part); it does not specify 
the model completely. Again this simple example illustrates the problems of 
symbolic model building. 

In Section 3 we mentioned the problems arising in decision procedures if 
equality is added. So far there are computational decision methods for the 
Ackermann-class + equality and Monadic class + equality, but no model building 
procedures. To the best of the knowledge of the author, the class VVD J is the 
only equational clause class where a model building procedure has been defined 
so far [10]. The method is based on positive resolution and ordered paramodula- 
tion and is similar to that for VDC defined above; its output on satisfiable sets 
of clauses are equational atomic ground-representations. 

Definition 7. A set 

•A . {Ax, ... , A n } U {si tx,..., S m 

where the Ai are ground atoms and the Si,ti are ground terms, is called an 
equational atomic ground-representation. The represented Herbrand model is 
the set of all ground atoms M with A\= M (in equational clause logic). 

Note that me might also define the more general concept of equational 
model representations, where neither atoms nor equations need to be ground. 
In such a formalism, however, it is undecidable whether a ground atom is true 
in the represented model (by the possibility to encode the word problem of ar- 
bitrary equational theories) . The expressive power of equational atomic ground- 
representations is much higher than this of ground atoms only and it is incom- 
parable with atomic representations. Although the set of clauses C : {P(x) V 
P(/(x)), ~^P(x) V -nP(/(x))} is not in PVPJ (because it is not in VVV), the 
model {P(f n (a)) \ n even } is representable by {P(a), /(/(a)) = a}, which is an 
equational atomic ground-representation. However, the decision procedure for 
WV~ does not provide any means to extract this model from the set C. 




74 



Alexander Leitsch 



In symbolic model building, in contrast to finite domain search, the syntactic 
representation of models is a quite subtle matter. Trivially, infinite models like 
Herbrancl models cannot be represented just by tables. But it is easy to show 
that clause sets which can be decided by proof theoretic procedures always have 
recursive models. Moreover, for most resolution decision procedures, models can 
be defined by algorithmically specifying a branch in an infinite semantic tree 
(which can be traversed without backtracking); this was already pointed out by 
W.J. Joyner [11]. However, such procedural specifications are not very helpful 
as they are not suited for clause evaluation (model checking). Thus, apart from 
model building itself, symbolic model representations and evaluation over rep- 
resentations are of interest per se and have been investigated in several papers, 
e.g. [17] and [20]. Efficient evaluation algorithms for clauses over symbolic repre- 
sentations, in turn, may be of importance to inference itself: they pave the way 
for implementing new forms of semantic resolution (over more complex mod- 
els than just over settings [15]). The author firmly believes that in the future 
development of automated deduction such semantic methods will receive more 
attention than in the last decades. The investigation of the semantic potential 
of existing calculi is just a first and necessary step into this direction. 

5 Extensions of Clause Logic 

In Section 3 we have seen that there are clause sets having very simple models, 
where none of them can be described by an atomic representation. Thus in order 
to increase the power of model building procedures it is necessary to extend the 
syntax of clause logic. One way to do this is to introduce equality, another 
to introduce equational constraints. The first extensions of clause logic for the 
purpose of model building were investigated by R. Caferra and N. Zabel [5]. 
The method is called RAMC (Resolution and Model Construction) and has 
been improved in several papers [3], [18]. RAMC is a calculus on (equationally) 
constrained clause logic, which besides inference rules - uses model building 
rules based on dis-inference principles. It is outside the scope of this paper to give 
a detailed description of RAMC (the reader is refered to the papers mentioned 
above). Instead we take an example out of the paper [3] and illustrate the use 
of the key techniques. 

Example 7. Consider the set of clauses 

C = {Ci : P{ x, x), C 2 : ^P(x, y) V P(y , x), C 3 : P{x , y) V ~^P(f(x), f(y)), 

Ca : ^P(x, y) V P(f(x), f(y)), C 5 : -P(c, /(*))}. 

Like the similar clause set in Example 2, C does not have finite models. But 
here neither positive nor negative hyperresolution terminate. Ordered resolution 
(e.g. based on <d) does terminate, but (typically) does not produce an explicit 
model representation. RAMC is based on the fact that a clause in predicate 
logic can be considered as a representation of the set of all its ground instances. 
On the ground level some instances may be redundant either because they are 




Decision Procedures and Model Building 



75 



tautologies or because they are subsumed by other (ground) clauses; moreover 
some instances can be used for resolutions and others cannot. 

Let us consider C2 ■ ^P(x, y) V P(y, x ) first. If CO is a ground instance with 
xO = yd then C2O is a tautology and thus can be deleted. Therefore we restrict 
the set of ground instances by adding the constraint x 7^ y, which results in the 
constrained clause C 2 : ->P(x, y) V P(y, x) : x ^ y. The rule replacing C2 by C ' 2 
is called distautology rule. Similarly we can delete all ground instances C 3 0 with 
xO = yO because they are subsumed by P(x, x) (or by the corresponding ground 
instances). Thus the so-called dis sub sumption ride yields the clause 

C's ■■ P{x, y) V ->P(f(x), f(y)) : x ^ y. 

Similarly we can delete C4 and replace it by 

C\ : ->P(x, y) V P(/(x), f(y)) : x ^ y. 

The new set of clauses obtained after this operations is 

C' = {C 1 :P(x,x), 

C 2 : ->P(x, y) V P(y, x) : x ± y, 

C3 : p (x, V ) v ^P(f(x), f(y)) .x^y, 

C\ : ->P(x, y) V P(/(x), f(y)) :x^y, 

C5 : ~>P{c, /(x))} . 

Still C' does not describe a model explicitly. To this aim a rule, called GPL (for 
Generating Pure Literal), is applied which generates constrained unit clauses. 
Consider the set of all ground instances of C 1 : all occurrences of negative literals 
-iP(s, t) now fulfill s ^ t. Moreover all clauses containing complementary literals 
of the form P(s,t) and s ^ t either contain -<P(f(s),f(t)) or -<P(s',t') for 
f(s') = s and f(t') = t. In fact the constrained unit clause Cq : ~^P(x, y) : x ^ y 
does not infer with P(x, x) and subsumes the ground instances of all the clauses 
C 2 , C' 3 , C ' 4 and C5. 1 .e. once we add Cq, all other clauses except C\ can be deleted 
by the dissubsumption rule and satisfiability is preserved. What remains is the 
set of clauses 

C" : {Ci : P(x, x), C 6 : ->P(x, t/):i/ y} 

which logically implies the original set C and represents the Herbrand model M : 
{P(s, s) | s € H(C)}. Therefore C" can be interpreted as a model representation 
for C. 

The generation of Cq out of C is by no means trivial and is only achieved by 
an extension of the original GPL-rule called egpl. The instances P(s, t) for s/f 
are pure (in the sense of the Davis-Putnam rules) only w.r.t. the instances of 
Ci, but not w.r.t. the instances of C 2 , C ' 3 and C{ which are in fact self-resolving 
constrained clauses. This is analyzed by the algorithm EGPL defined in [ 3 ] which, 
in this case, produces Cq. 

Example 7 demonstrates that models can be constructed by using equa- 
tional constraints for partitioning the set of ground instances defined by a set 




76 



Alexander Leitsch 



of clauses. It is not hard to show that the real power of the constraints lie in 
inequalities among variables. If the equational constraints contain only positive 
occurrences of = then the constraints can be eliminated without changing the 
set of represented ground instances. In the set A : {P(x, y) : x ^ y} the inequal- 
ity is “essential”: There exists no (finite) set of atoms representing the same 
ground instances as A over the Herbrand universe {/”(c) | n £ IN}; in partic- 
ular this shows that atomic representations are not closed under complement. 
We see that, by the dis-rules, the calculus RAMC (essentially consisting of res- 
olution, subsumption, the corresponding ” dis-rules” and of GPL) extends the 
capacity of pure clause logic w.r.t. model construction. Clearly, the application 
of dissubsumption and of other dis-rules (which may lead to more complicated 
constraints) can become quite expensive. Thus, again, a classification prior to in- 
ference would make sense: If we find out by a syntax check that the set of clauses 
cannot be treated by hyperresolution (i.e. we have no guarantee that a model 
can be found) then we may try RAMC. In [18] it is shown that even RAMC is 
not successful in all cases where the sets of clauses possess models representable 
by constrained literals. But the inference systems RAMCET and EQMC defined 
in [18] are capable of producing all models having such representations. 

Still the equational constraint formalism fails on examples like Example 6: 

V: {P(x)VP(f( x)), ~^P{x) V ~iP(f(x))}. 

The only Herbrand models Mi : {P(f 2n (a)) \ n £ IN} and M 2 '■ {P{f 2n+1 (a)) \ 
n £ IN} are not representable via constrained literals. Therefore RAMC cannot 
handle this case (and is nonterminating). In Section 4 we have seen that the 
models Mi and M 2 are representable by ground equational atomic representa- 
tions: Mi by {P(a), /(/(a)) = a} and M 2 by }P(/(a)), /(/(a)) = a}. Note that 
here = is the equality predicate which plays a different role than = in the equa- 
tional constraints! But the problem remains that, so far, no reasonable general 
algorithms producing such representations are available. 

An interesting and powerful mechanism to increase the expressive power of 
first-order calculi is provided by meta-terms (see [23] and [22]). Think about the 
expression P(f 2n (a)) as an element of the object language and extend the set 
V above to 



& = {P(x)VP(f(x)), -iP(x) V -iP(f(x)), P(/ 2 »)}. 

First of all, all ground instances P(s) V P(f(s)) are subsumed by the unit 
ground clauses represented by P(/ 2n (a)) and thus the clause P(x) V P(f(x )) 
can be deleted. Secondly, there are no clash resolvents among P(f 2n (a)) and 
-<P(x) V -iP(/(x)). Indeed the only ”meta” -resolvent which can be obtained 
within the clash is ^P(/ 2ll+1 (a)) which does not resolve with P(/ 2n (a)). As 
a consequence, the set {- 1 P(x ) V ~^P(f(x)),P(f 2n (a))} is stable under meta- 
hyperresolution and so P(/ 2 ”(a)) represents a model of C. Again, the problem 
of generating the appropriate meta-expressions remains. The following example 
shows that the meta-term formalism surpasses both equational constraints and 
equational atomic representations: 




Decision Procedures and Model Building 



77 



Example 8. 



C = {-<P(x, x), ->P{x, y) V P(x, f(y)), P(x,f(x))}. 

It is not hard to realize that 1. C has no finite models and 2. C has only one Her- 
brand model, namely M : {P(f n (a)), f m {a)) \ n < to}. Although there exists 
a (very complicated) A-ordering refinement which terminates on C (the ’’usual” 
ones don’t terminate) it does not yield a representation of a model. Moreover 
there are neither (equational) atomic nor constrained atomic representations of 
A4. In particular, as C is Horn (even under sign-renaming), hyperresolution does 
not terminate on C. But, again, meta-terms can do the job. 

In [22] an algorithm is defined which automatically generates meta-expres- 
sions by analyzing cycles within clauses (i.e. the possibilities of self-resolution). 
Applied to this example the algorithm first computes the meta-hyperresolvent 
P(x, f n+1 (x)) out of P(x, /(&)) and ~>P(x, y) V P(x, f(y)) (note that the “pow- 
ers” of the second clause are of the form ~^P{x,y) V P(x, f n+1 (y))). The new 
meta-clause P(x, f n+1 (x )) then subsumes P(x, f(x)), which can be deleted. The 
resulting set of clauses 

C' : {-<P(x,x), ~jP(x,y)W P(x,f(y)), P{x, f n+1 {x))} 
is a fixed point under meta-hyperresolution and yields the model representation 

A = {P(x,P+\x))}. 

A then represents exactly the ground instances 

{P(f m (a),f m+n+1 (a)) | to, n G IN} 



over H(C). 

The method in [22] (originally) is not designed for automated model building 
and, unlike RAMC, does not work over a fixed universe. In particular it cannot 
automatically produce the meta-clauses P(f 2n (a)) or P(f 2n+1 (a)) out of the 
set {P(x) V P(f(x)), -■ P(x ) V ~<P(f(x))}. It would be interesting to modify the 
method according to the needs of model building. 

Example 8 indicates that, in contrast to purely refutational theorem proving, 
termination and model building require stronger formalisms than those provided 
by first-order logic. With respect to model building meta-terms (and schemati- 
zations in general) cannot only lead to a speed-up of existing first-order calculi 
but, much more, to an increase of expressive power. A mathematical analysis 
leading to powerful and fast algorithms for meta-term generation could indeed 
cause a major breakthrough in the field of automated model building and of 
computational decision procedures. 




78 



Alexander Leitsch 



References 

1. Leo Bachmair, Harald Ganzinger, and Uwe Waldmann. Superposition with sim- 
plification as a decision procedure for the monadic class with equality. In Com- 
putational Logic and Proof Theory, KGC’93, pages 83-96. Springer, LNCS 713, 
1993. 

2. P. Baumgartner, U. Furbach, and I. Niemela. Hyper-tableaux. In Logics in AI, 
JELIA ’96. Springer, 1996. 

3. Ch. Bourely, R. Caferra, and N. Peltier. A method for building models automati- 
cally. Experiments with an extension of Otter. In Proceedings of CADE-12, pages 
72-86. Springer, 1994. LNAI 814. 

4. A. Brandi, C. Fermiiller, and G. Salzer. Testing for renamability to classes of 
clause sets. In M. P. Bonacina and U. Furbach, editors, Int. Workshop on First- 
Order Theorem Proving (FTP’97), RISC-Linz Report Series No. 97-50, pages 34- 
39. Johannes Kepler Universitat, Linz (Austria), 1997. 

5. R. Caferra and N. Zabel. A method for simultaneous search for refutations and 
models by equational constraint solving. Journal of Symbolic Computation, 13:613- 
641, 1992. 

6. C. Fermiiller. Deciding Classes of Clause Sets by Resolution. PhD thesis, Technis- 
che Universitat Wien, 1991. 

7. C. Fermiiller, A. Leitsch, T. Tammet, and N. Zamov. Resolution Methods for the 
Decision Problem. LNAI 679. Springer, 1993. 

8. C. Fermiiller and G. Salzer. Ordered paramudulation and resolution as decision 
procedure. In A. Voronkov, editor, Logic Programming and Automated Reason- 
ing, fth International Conference, LPAR’93, St. Petersburg, Russia, July 1993, 
Proceedings, volume 698 of Lecture Notes in Artificial Intelligence, pages 122-133. 
Springer Verlag, 1993. 

9. C.G. Fermiiller and A. Leitsch. Hyperresolution and automated model building. 
Journal of Logic and Computation, 6(2):173-203, 1996. 

10. C.G. Fermiiller and A. Leitsch. Decision procedures and model building in equa- 
tional clause logic. Journal of the IGPL, 6(1):17-41, 1998. 

11. W.H. Joyner. Resolution strategies as decision procedures. Journal of the ACM, 
23:398-417, 1976. 

12. Stefan Klingenbeck. Counter Examples in Semantic Tableaux. PhD thesis, Uni- 
versity of Karlsruhe, 1996. 

13. A. Leitsch. The resolution calculus. Springer. Texts in Theoretical Computer 
Science, 1997. 

14. Alexander Leitsch. Deciding clause classes by semantic clash resolution. Funda- 
menta Informaticae, 18:163-182, 1993. 

15. Donald W. Loveland. Automated Theorem Proving: A Logical Basis, volume 6 of 
Fundamental Studies in Computer Science. North Holland, 1978. 

16. S.Y. Maslov. The inverse method for establishing deducibility for logical calculi — . 
Proc. Steklov Inst. Math., 98:25-96, 1968. 

17. Robert Matzinger. Computational representations of Herbrand models using gram- 
mars. In Computer Science Logic, CSL’96, 1997. 

18. Nicolas Peltier. Nouvelles Techniques pour la Construction de Modeles finis ou 
infinis en Deduction Automatique. PhD thesis, Institut National Polytechnique de 
Grenoble, 1997. 

19. Nicolas Peltier. Simplifying formulae in tableaux. Pruning the search space and 
building models. In Proceeding of Tableaux’97, pages 313-327. Springer, 1997. 
LNAI 1227. 




Decision Procedures and Model Building 



79 



20. R. Pichler. Algorithms on atomic representations of herbrand models. In Proc. of 
JELIA ’98, pages 199-215. Springer, LNAI 1489, 1998. 

21. J. A. Robinson. A machine-oriented logic based on the resolution principle. J. 
Assoc. Comput. Mach., 12:23-41, 1965. 

22. G. Salzer. Deductive generalization and meta-reasoning, or how to formalize Gen- 
esis. In H. Kaindl, editor, Proc. 7th Austrian Conference on Artificial Intelligence, 
Informatik-Berichte 287, pages 103-115. Springer Verlag, 1991. 

23. G. Salzer. Unification of Meta-Terms. Dissertation, Technische Universitat Wien, 
Austria, 1991. 

24. J.R. Slagle. Automated theorem-proving for theories with simplifiers, commuta- 
tivity and associativity. J. Association of Computing Machinery, 21(4):622-642, 
1974. 

25. Tanel Tammet. Using resolution for deciding solvable classes and building finite 
models. In Baltic Computer Science, pages 33-64. Springer, LNCS 502, 1991. 




Replacement Rules with Definition Detection* 



David A. Plaisted and Yunshan Zhu 



Department of Computer Science 
University of North Carolina at Chapel Hill 
Chapel Hill, NC 27599-3175 
{plaisted I zhu}@cs .unc . edu 



Abstract. The way in which a theorem prover handles definitions can 
have a significant effect on its performance. Many first-order clause form 
theorem provers perform badly on theorems such as those from set the- 
ory that are proven largely by expanding definitions. The technique of 
using replacement rules permits automatic proofs of such theorems to be 
found quickly in many cases. We present a refinement of the replacement 
rule method which increases its effectiveness. This refinement consists in 
recognizing which clauses are obtained from first-order definitions. 



1 Introduction 

Many theorems involve concepts that are defined in terms of other concepts. 
For example, continuity can be defined in terms of limits, and the subset re- 
lationship is defined in terms of set membership. In an application, one might 
define the sibling relationship in terms of the parent relationship. How a theorem 
prover handles such definitions can have a significant effect on its performance. 
Sometimes it is better to expand these definitions to obtain a proof, and some- 
times not. The problem is even more severe for clause form theorem provers 
in first-order logic. If the definition of a predicate involves the introduction of 
new quantifiers, then the replacement of the predicate by its definition becomes 
difficult for a clause form theorem prover, because all quantifiers are eliminated 
in the translation to clause form. As a result, clause form theorem provers are 
often very weak on problems involving defined predicates, such as theorems of 
set theory. This problem was highlighted by Bledsoe in [Ble77]. The inability to 
handle such definitions efficiently is a common problem in clause form theorem 
proving, even if it is not always recognized as such, and one that is not handled 
well by a basic resolution theorem prover. However, clause form is attractive 
for theorem proving because it permits many simple complete theorem proving 
methods based on unification, and so it would be helpful to be able to simulate 
the replacement of predicates by their definitions in a clause form context. 

As an example of the problem, suppose that we desire to prove that (Va;)((a:n 
x) = x) from the axioms of set theory. A human would typically prove this by 

* This research was partially supported by the National Science Foundation under 
grant CCR-9108904 



R. Caferra and G. Salzer (Eds.): Automated Deduction, LNAI 1761, pp. 80—94, 2000. 
(c) Springer- Verlag Berlin Heidelberg 2000 




Replacement Rules with Definition Detection 



81 



noting that (ifli) = a; is equivalent to ((x fl x) C x) A (x C (ifli)), then 
observe that u C v is equivalent to (V 2 )((z G u) D (z G v)), and finally observe 
that 2 G (x fl x) is equivalent to (z € x) A (z G x). After applying all of these 
equivalences to the original theorem, a human would observe that the result is 
a tautology, thus proving the theorem. 

But for a resolution theorem prover, the situation is not so simple. The axioms 
needed for this proof are 



(x = y) = [0 C y) A (y c x)] 

{xCy) = (Vz){(z G x) D (z G y)) 

(z G (x n y)) = [{z G x) A [z G y)} 

When these are all translated into clause form and Skolemized, the intuition of 
replacing a formula by its definition gets lost in a mass of Skolem functions, and 
a resolution prover has a much harder time. This particular example may be 
easy enough for a resolution prover to obtain, but other examples that are easy 
for a human quickly become very difficult for a resolution theorem prover using 
the standard approach. 

The problem is more general than set theory, and has to do with how def- 
initions are treated by resolution theorem provers. We cannot directly replace 
(x C y) in a resolution theorem prover by G x) D (z G y)) because this 

would entail introducing a new quantifier, and such quantifiers have already been 
eliminated in the translation to clause form. Resolution theorem provers often 
have trouble with theorems like this. Even the set of support strategy [WRC65], 
which restricts inferences to those related to the particular theorem being proved, 
doesn’t always do the right thing because it does unification, not matching, and 
because it loses the sense of directionality of the definitions, since any literal can 
be resolved. Of course, in a higher order theorem prover, one can perform the 
rewrite and introduce explicit quantifiers, which is an advantage for higher-order 
theorem proving. But we are interested in increasing the power of first-order the- 
orem provers, as well. 



2 Replacement Rules 

The philosophy of replacement rules is to simulate the replacement of predicates 
by their definitions in a Skolemized setting. 

Definition 1. A replacement rule is an expression of the form R —> r L\, L 2 , 
. . . , L n . R is called a replacement literal. A replacement rule R — > r L \ , L 2 , • • • , 
L n corresponds to the clause L 1 , L 2 , ■ • • , L n }. The literals R and Li can 

be either positive or negative. We denote the set of replacement rules as RR. 
We define the set of relevant literals RL and relevant instances RI recursively 
as follows: Initially, RL contains ground literals occurring in the input clauses, 
and RI is empty. Then RL and RI are modified by performing the following 
operation as many times as possible, until there is no more change: If L G RL 
and there is a replacement rule C G RR of the form C = R —> r L\ . L 2 , ..., L n 




82 



David A. Plaisted and Yunshan Zhu 



where R is the replacement literal in C and R6 = L, then RL <— RL U {Lid, 
L 2 9, . . . , L n 9}, and RI <— RIlJ {{-• R9 , L\9, . . . , L n 9}}. Note that RL is a set 
of ground literals and RI is a set of ground clauses. 



Clauses 

1. {^Z € X n Y,Z £ X} 

2. {^Z £ X n Y, Z £ Y} 

3. {Z £ X n Y, Z £ X, € Y} 

4. {-.X C Y, — if/ € X, U £ Y} 

5. {X C Y,g(X,Y) € X} 

6. {X' C Y, ->g{X, Y) £ Y} 
Theorem: {-ia flaCa) 



Replacement Rules 

z £ x rY —> r z £ x 
Z £ x n Y -^r Z £ Y 
nZexn Y -> r € x, <= Y 

X C Y -> r -nil £ X, U £ Y 
-.X C Y -► r g(X, Y) £ X 
-.X C Y -> r -. S (X, Y) € Y 



Table 1 . Replacement rules for a set theory example 



There are many ways that a clause can be made into a replacement rule. 
Later we will give a general method for doing this. For now, we just give an 
example. Table 1 contains clauses for a set theory problem and the corresponding 
replacement rules 1 . Both C and fl are defined in terms of the predicate £. The 
first three clauses define fl, and the last three define C. “g(X,Y)” is a Skolem 
function. Replacement literals contain the concepts (predicates or functions) 
being defined. Intuitively, since the theorem involves D and C, the proof of the 
theorem will involve instances of the input clauses that “define” C and fl. These 
instances can be generated using the replacement rules. 

We illustrate the replacement strategy using the example from Table 1. Ini- 
tially, RL 0 = {-*i D a C a} and RI 0 = 0. The relevant literal ~^a fl a C a 
unifies with the replacement literal ->X C Y in 5) and 6). After one round 
of replacement, RI\ contains instances {a fl a C a, g(a fl a, a) € a fl a} and 
{afla C a, ^g(afla, a) £ a}. RL\ contains relevant literals {afla C a, g{aC\a, a) £ 
a fl a, ~^g(a fl a, a) £ a}. The new relevant literal g(a fl a, a) £ a fl a unifies with 
the replacement literal Z £ X fl Y in 1), thus RI 2 = Rh U {{^ g(a fl a, a) £ 
a fl a,g(a fl a, a) £ a}}. RL 2 = RL i U {g(a fl a, a) £ a}. No more new re- 
placement rules can be applied to the relevant literals in RL 2 . The union of 
RI 2 with the input clause set contains a propositionally unsatisfiable set of in- 
stances. We do not need to be concerned about directionality here, since unsat- 
isfiability can be detected by a Davis and Putnam type propositional decision 
procedure[DP60,DLL62] . 

Replacement rules solve the problem of handling definitions in a first order 
setting very effectively, in many cases. Simple theorems can sometimes be proved 
by applying replacement in this way: generating a set of replacement instances, 
and demonstrating propositional unsatisfiability of the replacement instances 

1 The first-order clauses can also be represented as 
{ not in(Z, inter section(X, Y)), in(Z, X)}. For clarity, we use £ for predicate in, fi 
for function intersection and C for predicate subset. We use infix instead of prefix 
operators. 




Replacement Rules with Definition Detection 



83 



using a decision procedure such as that of Davis and Putnam. This approach is 
not the same as meta-level replacement as presented in [Pau92] , since the original 
clauses are not removed or even rewritten. Rather, a set of new replacement 
instances is added to the set of clauses. These replacement instances encode the 
relationship between the original clauses and their rewritten versions. However, 
the original clauses are still available for inference. This technique permits proofs 
to be found regardless of whether the original or rewritten clauses are the ones 
that are needed for the proof. The problem is how to choose the rules and their 
orientation automatically. 



3 Methods for Choosing Replacement Rules 



Before presenting our current approach, we survey some of the approaches we 
have tried in the past. The idea of [PG86] was to do the replacement of predicates 
by their definitions before translation to clause form, and then use a structure- 
preserving clause form translation and a particular variant of locking resolution. 
This approach was highly effective with a number of set theory problems. In 
[PP91], we performed replacement in a term-rewriting context and applied re- 
placements much in the spirit of term rewriting rules. However, the rules and 
their orientations were chosen by the user. This approach was also effective on 
a number of theorems from set theory, including the composition of homomor- 
phisms theorem. In [LP94] , the replacement rules were used in a first-order clause 
form context, as illustrated above, but they were chosen by the user, and there 
were extra features added as well to enable some difficult proofs to be obtained. 
These rules were integrated into CLIN, an instance-based first-order prover that 
already had a propositional satisfiability tester built in. The prover CLIN-S of 
[CP94] had an automatic method for choosing the replacement rules, and was 
able to obtain a number of set theory problems fully automatically. It had two 
kinds of replacement rules, one kind that always replaced literals by others that 
were smaller, and the other that replaced literals by possibly larger literals. The 
former rules were applied more often than the latter ones. The RRTP theorem 
prover of [PP97] has automatic methods of choosing replacement rules, but the 
goal is not to detect definitions, but instead to perform a number of different 
kinds of replacement at the same time. This prover turned out to be very efficient 
for problems involving concept description languages [PP98] . Replacement rules 
have been extensively studied in [Par97] . We present a variant of the definitional 
replacement rule in [Par97] . We also emphasize the automatic generation of def- 
initional replacement rules. The work of [GOP93] also seems relevant, because 
it proposes a criterion for eliminating defined concepts. It is also of note that 
[DHK98] considers this problem of how to replace predicates by their definitions 
in a systematic way in a first-order combinatory logic setting, and obtains a 
complete approach to higher-order logic in this manner. 

The idea which we now propose is to detect which clauses were obtained 
from first-order formulas of the form L = A, where L is a literal and A is a 




84 



David A. Plaisted and Yunshan Zhu 



formula. Such clauses are then converted into replacement rules which have the 
same logical power as replacing L by A, without actually doing it. 

Suppose a definition of the form L = (A\ V A 2 ) is translated into clause form, 
where A\ and A 2 are literals. Then we obtain the clauses 

- L\A\,A° 2 

L° , ->A\ 

L° , ~^A\ 

where -> L 1 is the Skolemized form of ~>L, and 
and similarly for A\ and A 2 . For a definition 
obtain the clauses 

L° , ~>A\, ~>A\ 

- L\A° X 

- l\a° 2 

with notation as above. The pattern also can be extended to definitions of the 
form L = [Ai V A 2 V . . . A n \ and L = [Ai A A 2 A . . . A n \, as shown below. Such 
patterns can be detected, and replacement rules can be constructed that will 
have the effect of replacing L by its definition. We have integrated this approach 
into the OSHL theorem prover [PZ97], which is an instance-based prover that 
generates ground instances of the input clauses and tests them for propositional 
satisfiability. 

We now make precise the criterion for detecting definitions and generating 
replacement rules. 

Theorem 1. Suppose the formula L = (QiX\) . . . (Q m Xm)(L 1 V L 2 V ... V L n ) 
is converted to clause form, where L is a quantifier-free literal, the Qi are either 
V or 3, and the Li are literals, possibly containing additional quantifiers. Then 
the resulting set of clauses will be of the form 

->L V L? V V . . . V 
L V ~^L\ 

L V ~^L\ 

LV^Ll 

where the L® and L\ are literals and the empty clause may be derived by unit 
resolution from the clauses 

(L?VL°V...VL°)0 

~^L\e 

~^L\0 

^LiO 



L° is the Skolemized form of L , 
of the form L = (A\ A A 2 ), we 




Replacement Rules with Definition Detection 



85 



where 0 is a substitution replacing the variables of L by distinct new constant 
symbols. 

Proof. We know that the formula [{QiX\) . . . ( QmXm){L\ V L 2 V ... V L n )\ A 
^[(QiXi) . . . ( QmX m ){Li V L 2 V ... V L n )] is unsatisfiable, as are all instances 
of this formula obtained by replacing the variables of L by arbitrary terms. 
Since this formula is unsatisfiable, its Skolemized form is also unsatisfiable. The 
Skolemized form of this formula is the set of clauses 

(L°VL°V...VL°) 

^L\ 

~^L\ 



Since this set of clauses is unsatisfiable, there is a resolution proof of the empty 
clause. However, since only one of the clauses is a non-unit clause, there must be a 
unit resolution proof of the empty clause, as stated in the theorem. Moreover, if 0 
is a substitution replacing the variables of L by distinct new constant symbols, we 
know that [(QiXi) . . . (Q m x m )(Li Vi 2 V . . . V L n )\0 A ->[(<2iXi) . . . (Q m x m )(Li 

V L 2 V ... V L n )\0 is unsatisfiable, so by similar reasoning there is a unit res- 
olution refutation from its Skolemized form. By syntactic reasoning about the 
process of Skolemization, we can conclude that there is also a unit resolution 
refutation from the clauses 

(L?VL°V...VL°)0 

-nL{0 

*nL\0 

^L\0. 

Furthermore, the Skolemized form of the formula L = (QiXi) . . . (Q m x m )(Li V 
L 2 V . . . V L n ) is obtained from the Skolemized form of [(QiXi) . . . (Q m x m )(Li V 
I / 2 V ... V L n )\ A ->[(QiXi) . . . (QmXm){L\ V L 2 V ... V L n )\ by adding the literal 
L or ~^L to the resulting clauses. □ 

We note by duality that the same result applies to definitions of the form 
L = (QiXi) . . . {QmX m ){Li A L 2 A ... A L n ). This theorem gives an effective way 
to detect such definitions, as well. 

As an example, consider the clauses 

{^Z € X ClY,Z € Xj 
{^Z eXDY,ZeYj 
{z e xnY,^z e x,^z e F} 

We can choose L to be the literal Z G X fl Y and choose 0 to replace X by a, 

Y by 6, and Z by c. Then, according to theorem 1, the set of clauses 

{Z G X}0 
{ZgY}0 

{^z gx,^z g y}0 




86 



David A. Plaisted and Yunshan Zhu 



should be unsatisfiable, and the empty clause should be derivable from them 
using unit resolution. And it is easy to verify that the empty clause is derivable 
by unit resolution from 

{c e a] 

{c£b} 

{~<c £ a, ->c € b} 

For clauses in which quantifiers Qi appear, the clauses 
(L°VL°V...VL°)0 

~^L\e 

~'L\0 

-'Lie. 

might not be ground clauses. This is the case, for example, with the definition 
of C: 

{not (subset (X,Y)), not(in(Z,X)), in(Z,Y)}. 

(in(g(X,Y),X), subset (X,Y)}. 

(not(in(g(X,Y),Y)), subset (X,Y)}. 

The substitution 0 will not replace the variable Z by a constant in this case. 
The empty clause is still derivable by unit resolution even if there are quantifiers 
in the definition, which means that the literals L® or Lj will contain variables 
that are not removed by 0. 

What this means is that in computing the set RI of relevant instances, some 
of these relevant instances may contain variables. In order to obtain ground in- 
stances, which we need for the propositional unsatisfiability test, these variables 
are instantiated to ground terms by unification of literals of RI with other rel- 
evant literals. This mechanism is essential to obtain the proof of the theorem 
p(lnh) =p(X)np(Y), which is discussed below. The reason for this is that the 
definition of X C Y is \/Z(Z € X D Z £ Y), and this definition does not specify 
how Z is to be instantiated. Therefore, we need to unify with other literals to 
know how to instantiate Z. 

It is not only single definitions that are of interest, but their interaction 
as well. In a mathematical theory, there is often a hierarchical definition of 
concepts. For example, in set theory, subset or union can be defined in terms of 
membership , and equalset can be defined in terms of subset. To prove a theorem 
involving subset and intersection, it is often necessary to expand the definitions 
of these concepts. In the replacement strategy, there are a number of replacement 
rules generated based on the input clauses. Instances of the input clauses are 
generated using these replacement rules. The generation of these instances in 
essence corresponds to the expansion of definitions. 

A replacement rule can be manually generated by examining each clause 
and using human insight to select the replacement literal that represents the 
defined concept. However, there are patterns in input clauses noted in theorem 1 




Replacement Rules with Definition Detection 



87 



that often correspond to definitions, and these patterns can be used to generate 
replacement rules automatically. 



Case 1. 

First-Order Formula: WXp(X) ~ 3Y( qi (X, Y ) A q 2 (X, Y) . . . A q n (X , Y)) 

Clause Form: 

[p(X),^!(X, ?),..., ^q n (X,Y)]. 

h p(X), qi (X,f(X))}. 

h p(X),q n (X,f(X))]. 

Case 2. 

VXp(X) <-> 3Y{ qi (X, Y) V ... V q n (X, Y)) 
hp(X), Ql (X, f(X)), q n (X, f(X))}. 

\p(X),^ qi (X,Y)]. 

\p(X),^q n (X,Y)]. 

Case 3. 

VXp(X) <-> VY( qi (X, Y) A ... A q n (X, Y)) 

[p(X), ^ qi (X, f(X )), . . . , -n q n (X , f(X))}. 
h p(X), gi (X,Y)]. 

h p(X),q n (X,Y)]. 

Case 4. 

VXp(X) <-> VY( qi (X, Y) V q 2 (X, Y ) ... V q n (X, Y)) 
h p(X),qi(X,Y),...,q n (X,Y)]. 

\p(X),^ qi (Xj(X))]. 

\p(X),^q n (Xf(X))\. 

Fig. 1. First-order formulas and clauses that often represent definitions 



Definition 2. If 5 is a set of first-order clause such that N £ S and Na = 
{P, Q i, . . . , Q n } and if Vz(Pj € S) where EiCti = {-iP, where a and are 

substitutions, then we call clause N a nucleus clause and we call the Ei electron 
clauses. The first-order literals P and Qi can be either positive or negative. 

Remark 1. Given a nucleus clause N such that N a = {P,Qi, . . . ,Q n } and its 
electron clauses Ei such that PjOi = {-iP, ~^Qi} where P contains at least one 
predicate, function or constant symbol that does not appear in any Qi, replace- 
ment rules -<P — > r Q \, . . . , Q n and P — > r ~^Qi are generated. 

Figure 1 lists some common axiomatization of definitions. Their clause forms 
have patterns that are captured in nucleus and electron clauses. For example, 




David A. Plaisted and Yunshan Zhu 



in the set theory example in Table 1, the definition of fl corresponds to case 
1 or 3, where Y = 0, and the definition of C corresponds to case 4. Based 
on Definition 2, it is quite easy to test whether a clause C £ S is a nucleus 
clause. One can nondeterministically select a literal R in C, assume R to be 
the replacement literal P, and check if Vi(Pj £ S ), where EiOti = {^P,^Qt}. 
A set of clauses might generate multiple sets of replacement rules due to dif- 
ferent ways of assigning replacement literals. For example, in a clause set with 
{{p(X) , ^q(X)} , {^p(X) , q(X)}} , both p(X) and q(X) can be replacement lit- 
erals. In this case, we generate two sets of replacement rules p(X) — » r q(X), 
^p{X) —> r ~^q(X) and q(X) — p(X), ~>q(X) —> r ~>p(X). This is not a problem 
for our approach, since no rewriting actually occurs. Both sets of replacement 
rules are used at the same time. In general, multiple replacement rules may be 
used at the same time, which may have the effect of replacing some literals by 
multiple definitions at the same time. The idea of nucleus and electron clauses 
can be extended to detect other patterns of definitions, such as a definition of 
the form P <-> (Qi A Q 2 ) V Q 3 . 

In OSHL, when the set theory flag is turned on, the replacement strategy 
is invoked before the instantiation procedures that generate semantically false 
instances. The replacement strategy terminates when a time limit is reached, or 
no more relevant literals can be generated. OSHL collects all relevant instances 
generated by the replacement strategy and combines them with the instances 
generated by instantiation to detect propositional unsatisfiability using a method 
much like that of Davis and Putnam [DP60,DLL62]. 

Nontermination of the process of replacement is not inherently a problem 
for this approach, since a propositional satisfiability test can be applied after 
each round of replacement. Thus we do not need to be concerned with whether 
the definitions are well-founded, in some sense. In fact, definition of a predicate 
p(X, Y) as p(Y, X) would not even cause nontermination for us. Other definitions 
could cause nontermination. However, if the replacement process is nonterminat- 
ing, then after a certain time limit, the general theorem prover will be called, 
which might not be as efficient at finding a proof as the replacement rules would 
be. 

We applied the replacement strategy to solve set theory problems. The tech- 
nique is very effective and can generate the “right” instances very efficiently. 
Combining replacement rules with an efficient propositional decision procedure, 
OSHL can solve many set theory problems that are very difficult for other the- 
orem provers. The automatic generation of replacement rules is also effective. 
Many definitions in set theory can be detected. Examples include intersection, 
union, subset, powerset, etc. Some definitions are not captured by nucleus or 
electron clauses. For these, we can either construct the replacement rules man- 
ually, or else break the definitions into smaller pieces, each of which will be of 
the form L = (4i V d 2 ) or L = (A\ A A 2 ), both of which our approach can 
detect. For example, a definition of the form P = [(Qi A Q 2 ) V Q 3 ] can be broken 
down into the definitions P = (Pi V Q 3 ) and Pi = {Q 1 A < 52 )- This technique is 
somewhat like a structure-preserving translation to clause form [PG86]. 




Replacement Rules with Definition Detection 



4 Test Results 

We now present results on application of replacement rules in set theory. All 
runs were done on a SUN Sparc-20. OSHL is programmed in Prolog and Otter 
[McC90] is implemented in C. Six problems were run, which we will call pi 
through p6. These involved definitions of the set theory predicates “equal” and 
“subset” and the functions U, D, comp (complement), diff (difference), and p 
(powerset). We indicate which axioms were included in each problem by Ax[= 
, C, U], for example, indicating that the definitions of =, C, and U were included 
in the set of axioms. The definitions were input as in table 2. 

Definition of =: (not(equal(X,Y)), subset(X,Y)}. 

(not(equal(X,Y)), subset(Y,X)}. 

(not(subset(X,Y)), not(subset(Y,X)), equal(X,Y)}. 

Definition of C: (not(subset(X,Y)), not(in(Z,X)), in(Z,Y)}. 

{in(g(X,Y),X), subset(X,Y)}. 

(not(in(g(X,Y),Y)), subset (X,Y)}. 

Definition of U: (in(X,Y), in(X,Z), not(in(X,union(Y,Z)))}. 

{in(X, union) Y,Z)), not(in(X,Y))}. 

(in(X,union(Y,Z)), not(in(X,Z))}. 

Definition of H: (not(in(X,Y)), not(in(X,Z)), in(X, intersect (Y,Z))}. 

{not(in(X, intersect (Y,Z))), in(X,Y)}. 

{not(in(X, intersect (Y,Z))), in(X,Z)}. 

Definition of comp: {not(in(X,Y)), not(in(X,comp(Y)))}. 

(in(X,Y), in(X,comp(Y))}. 

Definition of diff: (in(X,diff(Y,Z)), not (in(X, intersect (Y,comp(Z))))}. 

(not(in(X,diff(Y,Z))), in(X, intersect (Y,comp(Z)))}. 

Definition of p : (not(subset(X,Y)), in(X,p(Y))}. 

(not(in(X,p(Y))), subset(X,Y)}. 

Table 2. Clauses defining set theory predicates and operators 



The clauses and theorems for the various problems were as shown in table 3. 
We note from the input clauses of problems pi to p6 that axioms were often 
included that were not needed for the proof. The results on OSHL and Otter 
were as shown in table 4. 




90 



David A. Plaisted and Yunshan Zhu 



Problem pi: Ax[=,C,n] 

Negation of theorem: 

{not(equal(a, intersect (a, a)))}. 

Problem p2: Ax[=,C,n] 

Negation of theorem: 

{ not (equal (intersect (a, intersect (b , intersect (a, c) ) ) , 
intersect(c,intersect(a,intersect(c,b)))))}. 

Problem p3: Ax[=,C,n,U,p] 

Negation of theorem: 

{not (equal(p(intersect (a,b) ) , intersect (p(a) ,p(b) ) ) ) } . 

Problem p4: Ax[=,C,n,U,comp] 

Negation of theorem: 

{not (equal(comp(union(a,b)), intersect (comp(a),comp(b))))}. 

Problem p5: Ax[=,C,n,U,p,comp] 

Negation of theorem: 

{not (equal(comp(union(a,b)), intersect (comp (a), comp(b))))}. 

Problem p6: Ax[=,C,n,U,p,comp,diff] 

Negation of theorem: 

{neg(equal(diff(a,diff(a,b) ) , intersect (a,b) ) ) } . 

Table 3. Input clauses of problems pi to p6 



These runs were made with Otter using binary resolution and only the nega- 
tion of the theorem in the set of support. We also ran all problems on Otter with 
all clauses in the set of support and used hyper-resolution, with essentially the 
same result: all problems except the first one timed out after 1000 seconds and 
generated many clauses, without finding a proof. Something that is not obvious 
from the figures of table 4 is that the proofs printed out by OSHL are often 
several pages long. 

5 Comparison with Other Approaches 

There have been a number of other approaches to set theory; meta-level replace- 
ment has already been mentioned. One difference of our approach is that it is a 
general technique for handling definitions and is not limited to set theory. Our 
approach also differs from some others that involve higher-order logic and thus 
can explicitly represent quantifiers in definitions. 

Quaife[Qua92] has also obtained many proofs in set theory. He used Otter 
[McC90], a general first-order theorem prover, with some special settings for 
the switches. For example, he often preferred UR-resolution with set of support 
and preferred clauses not containing variables. Though this can be effective, the 




Replacement Rules with Definition Detection 



91 



Problem 


OSHL 

Time 


OTTER 

Time 


OTTER 

clauses generated 


Pi 


0.3 


0.03 


51 


p2 


2.3 


1000+ 


41867 


p3 


11.25 


1000+ 


27656 


p4 


1.35 


1000+ 


105244 


p5 


2.0 


1000+ 


54660 


p6 


2.17 


1000+ 


23553 



Table 4. Timing of OSHL and OTTER. Time is measured in seconds on a 
SPARC-20. 1000+ means that no proof is found in 1000 seconds. 



combination of UR resolution and set of support is not complete in general. 
Quaife also chose particular clause weightings to guide the proof. For simple 
theorems, our approach seems to require less guidance. However, Quaife was 
able to prove harder theorems than we can obtain automatically at present. 

The approach of Andrews [BA98] is interesting in that he also retains both 
the original clauses and their expanded forms. His approach is incorporated 
into a higher-order theorem prover, which is more expressive but has a higher 
overhead for simple theorems. 

The Set-Var approach of [BF91] handles theorems in which set variables are 
universally and existentially quantified. For us, all set variables are universally 
quantified (in effect), which makes the theorems simpler. We do not know how 
the Set-Var approach would perform on theorems such as we have tried. 

The approach of [COP90] is noteworthy in that they give a decision procedure 
for a fragment of set theory. It may be that our approach also provides a decision 
procedure for this same (V)q fragment of set theory. If so, then the use of efficient 
propositional decision procedures could actually give our approach an efficiency 
advantage. It may also be that not all of our examples fit within this fragment 
of set theory. 

6 Discussion 

Although we only ran six problems, the results are striking enough that some 
general conclusions can be drawn. Since many set theory problems are of the 
same general nature, it is clear even from these results that replacement rules are 
far superior to resolution on set theory problems which can be proved entirely by 
the replacement of predicates and operators by their definitions. In addition, we 
note that the replacement rule facility implemented here is fully automatic and 
does not recognize these problems as set theory problems. If all of the operators 
and predicates were renamed, the OSHL running times would be essentially the 
same. Since definitions are common in many theorems, a replacement rule facility 
such as this one would be a good addition to any theorem prover. 

These problems were fairly simple, and so we would not expect the same 
efficiency on more complex problems, such as the composition of homomorphism 




92 



David A. Plaisted and Yunshan Zhu 



problem [Qua92]. It is an interesting project to attempt to extend the results of 
this paper to harder theorems. 

It would also be interesting to study the complexity of replacement using 
this mechanism. Of course, nothing in general can be said, because the pro- 
cess of replacement can generate long chains of replacement instances, or even 
be nonterminating on some examples. Some efficiency might be gained by gen- 
erating the replacement rules during a preprocessing step. It appears that the 
replacement rules can be generated in time polynomial in the length of the input 
clause set, if all clauses have a bounded number of literals. In the general case, 
generating these rules might take exponential time. 

We comment on the completeness of our approach. In general, we believe 
that the following is true: If a set S of clauses, with all definitions expanded, 
is propositionally unsatisfiable, then our method will be able to show that S is 
unsatisfiable. This is at least a limited completeness result. After replacement 
rule generation, the replacement instances together with the input clause set are 
given to a general theorem prover in our approach. We note that the clauses 
that have been identified as definitions are not dropped from the input clause 
set, which would lead to incompleteness. 

Examples of possible applications in which replacement rules could prove 
valuable include hardware verification, in which the high-level behavior of a de- 
vice can often be defined in terms of its detailed low-level gate-level behavior. 
Another application is concept description languages, which often involve defini- 
tions, and for which a replacement mechanism was recently shown to be efficient 
[PP97]. We also believe that state space planning problems can be solved quickly 
in this way, but we have not investigated this very far. 

One limitation of this technique is that replacement is only performed on 
ground literals present in the input clauses. It is often useful to apply definition 
expansion to terms and literals generated during the course of a proof, as well. 
This could be done in a similar way, but of course there is less likelihood that 
such definition expansion will lead to a proof. We need to devote more attention 
to this area. It does not seem right to apply replacement to all ground literals 
that appear during the course of a proof, but it may be advantageous to apply 
it to some of them. 

An interesting comparison can be made with these problems and the TPTP 
problem set [SS97] , which has hundreds of set theory problems, each containing 
many, many axioms of set theory. The advantage of replacement over resolution 
and other strategies does not seem as striking on the TPTP problems as it does 
here, for some reason, and we do not fully understand why. 

7 Conclusions 

The replacement rule mechanism with automatic definition detection is efficient 
for proving many set theory problems, and is often far superior to resolution 
in this respect. It also holds promise for substantially increasing the power of 
first-order clause-form theorem provers on any problem in which the expansion 




Replacement Rules with Definition Detection 



93 



of definitions is needed in the proof. Moreover, this mechanism requires no user 
interaction. Many theorem provers would benefit by incorporating some form of 
replacement rules. 



Acknowledgments 

Support from Ricardo Caferra during the first author’s stay in Grenoble, France 
in the summer of 1998 contributed to the preparation of this paper. 



References 

BA98. Matthew Bishop and Peter B. Andrews. Selectively instantiating definitions. 

In Proceedings of the 15th International Conference on Automated Deduction , 
pages 365-380, 1998. 

BF91. W. W. Bledsoe and G. Feng. Set-var. Journal of Automated Reasoning, 
11(3):293-314, 1991. 

Ble77. W. W. Bledsoe. Non-resolution theorem proving. Artificial Intelligence, 9:1- 
35, 1977. 

COP90. D. Cantone, E.G. Omodeo, and A. Policriti. The automation of syllogistic 
II: optimization and complexity issues. Journal of Automated Reasoning, 
6(2): 173-187, 1990. 

CP94. Heng Chu and D. Plaisted. Semantically guided first-order theorem proving 
using hyper-linking. In Proceedings of the Twelfth International Conference 
on Automated Deduction, pages 192-206, 1994. Lecture Notes in Artificial 
Intelligence 814. 

DHK98. G. Dowek, T. Hardin, and C. Kirchner. Theorem proving modulo. Technical 
Report 3400, Institut National de Recherche en Informatique et en Automa- 
tique (INRIA), Le Chesnay, France, April 1998. 

DLL62. M. Davis, G. Logemann, and D. Loveland. A machine program for theorem- 
proving. Communications of the ACM, 5:394-397, 1962. 

DP60. M. Davis and H. Putnam. A computing procedure for quantification theory. 
Journal of the Association for Computing Machinery, 7:201-215, 1960. 

GOP93. D. Gabbay, J. Ohlbach, and D. Plaisted. Killer transformations. In Proc. 1993 
Workshop on Proof Theory in Modal Logic, pages 1-45, Hamburg, Germany, 
1993. 

LP94. S.-J. Lee and D. Plaisted. Use of replace rules in theorem proving. Methods 

of Logic in Computer Science, 1:217-240, 1994. 

McC90. W. McCune. Otter 2.0 (theorem prover). In M.E. Stickel, editor, Proceedings 
of the 1 0th International Conference on Automated Deduction, pages 663-4, 
July 1990. 

Par97. M. Paramasivam. Instance- Based First-Order Methods Using Propositional 
Calculus Provers. PhD thesis, University of North Carolina at Chapel Hill, 
1997. 

Pau92. L.C. Paulson. Set theory for verification I: from foundations to functions. 
Journal of Automated Reasoning, ll(3):352-390, 1992. 

PG86. D. Plaisted and S. Greenbaum. A structure-preserving clause form transla- 
tion. Journal of Symbolic Computation, 2:293-304, 1986. 




94 



David A. Plaisted and Yunshan Zhu 



PP91. 

PP97. 

PP98. 

PZ97. 

Qua92. 

SS97. 

WRC65. 



D. Plaisted and R Potter. Term rewriting: Some experimental results. Journal 
of Symbolic Computation, 11:149 - 180, 1991. 

M. Paramasivam and D. Plaisted. A replacement rule theorem prover. Jour- 
nal of Automated Reasoning, 18(2):221-226, 1997. 

M. Paramasivam and D. Plaisted. Automated deduction techniques for clas- 
sification in description logics. Journal of Automated Reasoning, 20(3):337- 
364, 1998. 

D. Plaisted and Y. Zhu. Ordered semantic hyper linking. In Proceedings of 
Fourteenth National Conference on Artificial Intelligence (AAAI97), Provi- 
dence, Rhode Island, 1997. 

A. Quaife. Automated deduction in NBG set theory. Journal of Automated 
Reasoning, 8(1):91-147, 1992. 

C.B. Suttner and G. Sutcliffe. The TPTP problem library (TPTP v2.0.0). 
Technical Report AR-97-01, Institut fur Informatik, Technische Universitat 
Munchen, Germany, 1997. 

L. Wos, G. Robinson, and D. Carson. Efficiency and completeness of the 
set of support strategy in theorem proving. Journal of the Association for 
Computing Machinery, 12:536-541, 1965. 




On the Complexity of Finite Sorted Algebras 



Thierry Boy de la Tour 



LEIBNIZ Laboratory - IMAG (CNRS) 

46, Av. Felix Viallet, 38031 Grenoble Cedex, France 

Thierry . Boy-de-la-Tour@imag . f r, 

WWW home page: 

http : //www-leibniz . imag.fr/ATINF/Thierry.Boy-de-la-Tour/welcome .html 



Abstract. The general problem of testing the isomorphism of two given 
finite algebras is known to be isomorphism complete, i.e. polynomially 
equivalent to the graph isomorphism problem (GI). It is easy to see that 
this fact still holds when sorts are introduced. However, this isomorphism 
problem is relevant only for algebras (or interpretations) of a fixed sig- 
nature, and in some cases, according to the signature, is much simpler 
than the general problem. We therefore establish exactly for which sig- 
natures is the associated isomorphism problem simpler than GI, and for 
which is it isomorphism complete. It turns out that for non-monadic sig- 
natures, this problem is isomorphism complete just as is the case without 
sorts, while the classification of monadic signatures is more complex and 
interesting in the presence of sorts. 



1 Introduction 

In the context of model building, it is very common to consider sorts in order to 
reduce the search space. It is also a trivial thought that things get more complex 
if we consider a formula with more non-logical symbols than another one. But 
then why not consider only one sort, and one function symbol encoding all 
others? Because the corresponding algebras would poorly represent the objects 
we are looking for, and the search would browse many meaningless structures. A 
search can only be efficient if the search space consists of reasonable candidates, 
not weird mixtures of unsuitable representations. We may question whether the 
art of finding a suitable, or “searchable” representation can rest on firm ground. 

When we search for finite models of a first order sorted formula, the search 
space is determined by the set of non-logical symbols used in the formula, i.e. 
the signature. It is clear that some signatures are much simpler than others, 
for example the interpretations of a signature S with only one constant symbol 
cannot match the rich structure of graphs, while this is possible with a binary 
predicate symbol. Of course, there may be many ways to represent any kind of 
objects as finite algebras, and it may be difficult to establish what can possibly 
be represented in a given structure. We may however obtain negative results by 
considering the relative complexity of source and target structures of representa- 
tions: the represented object is necessarily simpler than the structure into which 
it is encoded. 



R. Caferra and G. Salzer (Eds.): Automated Deduction, LNAI 1761, pp. 95—108, 2000. 
(c) Springer- Verlag Berlin Heidelberg 2000 




96 



Thierry Boy de la Tour 



We will only consider transformations that preserve isomorphisms in order to 
ensure fair representations. We will also focus on a very elementary measure for 
the complexity of a structure: the computational complexity of the associated 
isomorphism problem. The reason is that the general isomorphism problem be- 
tween finite algebras is known to be isomorphism complete, while it is believed 
that this class is disjoint from the class P. Hence finite interpretations of simple 
signatures, i.e. inducing a polynomial isomorphism test, are strictly simpler than 
those rich enough to embed graphs. 

2 Preliminaries 

Definition 1. Given a finite set S, whose elements are called sorts, the set of 
first-order 5-types is Ti(5) = UfcGN^ fc x (<S W {o}). 

For t = (di , . . . , dk, r) £ Ti(5), if k 0 then t is said to be functional of 
arity k, and is noted d\ x . . . x dk — > r; domf is d\ x . . . x dk and rng£ is r. If 
k =1, t is said to be monadic, and atomic if k = 0. 

A signature £ = (S,IF,t) is given by a finite set S of sorts, a finite set T 
of symbols and a function r from T to Ti(5). f £ £ stands for f £ IF, and £f 
for t(/). If £f is functional and rng£f = o, then f is a predicate symbol. A 
signature £ is monadic z/V/ £ £, £f is either monadic or atomic. 

A sort interpretation 1 of S is a function which associates a non empty set 
to each element of S, such that Vs, s' £ S, if s yf s' thenX(s) CiX(s') = 0 and 
X(s) fl {T, _L} = 0. X is said to be finite iff Vs £ S,X(s ) is finite. 

We naturally extend X to the set of first order S-types by: X(o) = {T,_L}, 
Vsi , . ..,s„ S <S,I(si x ... x s„) = niLi ^( s i) an d f or an V functional first-order 
S-t.ype t, X(t) is the set of functions from Z(domf) toX(rngt). 

A 17-algebra A = (I, v), or interpretation of £, is given by a sort interpreta- 
tion X of S and a function v from F to UteSifs) such, that V/ £ £, v(f) £ 
X(£ f). In the sequel, Af stands for v(f), and A(t) forX(t). From now on, we 
only consider finite algebras, i.e. such that the sort interpretation X is finite. 

Given two problems V and Q , we note V otp Q when V polynomially reduces 
to Q (see [1]). We note GI the problem of graph isomorphism: given two graphs 
G = (V, E) and G’ = (W, E'), GI is true of G, G' iS 3a : G = G’ , i.e. a is a 
1-1 function from V onto V' such that Vx, y £ V, (x,y) £ E <t=> ( x a , y a ) £ E 1 
( x a denotes the image of x under the isomorphism a). We will also consider 
the usual brands of graphs, directed, labeled, multigraphs. Their isomorphism 
problem are known to be all polynomially equivalent to GI, i.e. isomorphism 
complete (see e.g. [2]). Other standard notions as paths, connexity, etc. will also 
be assumed. 

We will obviously make extensive use of isomorphisms between (finite) alge- 
bras: given a signature £ and two 17-algebras A, B, an isomorphism between A 
and B is a function a such that 

— Vs £ S, a is 1-1 from _4(s) onto B(s), 

— a is the identity on _4(o) = B( o), 




On the Complexity of Finite Sorted Algebras 



97 



— V/ G £, let n be the arity of £f , V(xi, . . . , x n ) G „4(rng £f),Bf{xf , . . . , x°) 

= Af(xi, . ..,x n ) a . 

This is noted a : A = B. Finally, we note 1(17) the problem which, given two 
finite 17-algebras A, B , is true iff 3a such that a : A = B. 

Since we only consider isomorphism problems, we will provide polynomial 
time transformations from source structures (graphs, finite algebras) to target 
structures, while preserving isomorphisms in both directions. When isomorphic 
source objects are transformed into isomorphic target objects, we say that the 
transformation is invariant (intuitively, only their structure is transformed). If 
source objects are isomorphic whenever their transformed objects are isomorphic, 
the transformation is accurate ( all the structure is transformed). A transforma- 
tion both invariant and accurate is said to be fair. 

As an example, we first prove that complexity increases by adding sorts. 

Lemma 1. Let £ = ( S , T , r) and £' = (S l±l {s}, V 7 , t), then 1(17) ocp 1(17'). 

Proof. Any 17-algebra A can be transformed into a A'-algebra A by extending it 
with a new element a: let Aft) = A{t) and Af = Af for all t € S and / G T, and 
A(.s) = {a}, where a ^ l+J /e5 A{t). This transformation is obviously polynomial. 

The transformation is invariant since any isomorphism a between two 17- 
algebras A, B can be extended to an isomorphism between A and B (B extended 
with b) by a a = b. It is accurate since any isomorphism a : A = B is 1-1 
from A(s) onto B(s), hence a a = b , and the restriction of a to l+j (e5 .4(i) is 
an isomorphism between A and B. Hence the problem 1(17) can be solved by 
using 1(17') (whether the answer is yes or no) through this polynomial and fair 
transformation. 

In the sequel, we will establish properties of specific signatures, the statement 
of which will be eased by the following notation: for a given S and any first-order 
5-types t\, . . .,tn, w e note ft i , . . . , t n ~\ for any signature £ = ( S , T r) where T 
contains exactly n symbols f\ and Vi G {1 . . .n}, r(/i) = t*. If S is not 

specified, we take the smallest possible one: the set of symbols appearing in the 
tf s. 

It is easy to see that complexity increases by adding arguments to functions. 

Lemma 2. I([di x . . . x d n — > r]) ocp I(|"do x . . . x d, n —*r\). 

Proof. Let £ = ( 5, {/},r ), and £' = (5',{/},r') with S = {d 1 , . . . ,d n ,r}, 
r(/) = g?i x . . . x d n — > r, S' = S U {do} and and r'(/) = do x . . . x d n — ► r. We 
first consider the case where do G {c?i, . . . , d n , r}, that is S = S'. 

We transform any 17-algebras A into a A'-algebra A by: Vs G S, A(s) = A(s) 
and V(x 0 , ■ ■ - ,x n ) G A(d 0 x ... x d n ),Af(x 0 , ■ ■ - ,x„) = A/(x i, . . . ,x n ). This 
transformation is clearly polynomial: the graph of Af is duplicated | Vl(do) I times. 
Since Af(xfi, . . . , xff) = Af(x %, . . . , xff) and Af(x 0 , ■■■, x n ) a = Af(x i, . . . , x n ) a , 




98 



Thierry Boy de la Tour 



it is obviously fair: 



<7 : A = B iff V(xi, ...,x n ) G A(di x . . . x d n ),B f (xf, ,. .,x°) = A f (xi, . . .,x n y 
iff V(xo, ...,x n ) G A(d 0 x ... x d n ),B f (x q, . . .,a£) = A f (x 0 , . . .,x n y 
i Sa: A ^B. 



If do is a new sort, we first add do to E' , which yields 17" and 1(17) ocp 1(17") 
by lemma 1. The previous case yields 1(17") ocp 1(17'). 

It is not as easy to prove that complexity increases by adding objects to a sig- 
nature. More precisely, given two signatures S = ( S , T , r) and E' = (S' , T’ , r'), 
we say that E C S' iff S C 5', T C T’ and V/ G 7F, r(/) = t'(/). 

Definition 2. To any signature E we associate a directed multigraph Gs = 
(S, £z, fsti:, sndx 1 ), where is the set of (f,i) f or / G i 7 such that Ef is 
functional, with rng Ef^o and i is an integer between 1 and the arity n of f; 
then for Ef = d\ x . . . x d n — > r, we take fst ^7 ((/, i)) = di and snd s((f, i)) = r 
(see figure 1 ). 




Fig. 1. Gs for E = \d\ x di — » r, d\ — > r, r — > o] 



We now come to the more difficult task of adding a new function symbol 
g : d\ x . . . x d n — » t to a signature E while preserving isomorphisms. The trivial 
thing to do is to take some constant function for A g , but this necessarily involves 
an element of Aft), therefore disturbing the whole structure of the 17-algebra 
A. The solution is to add a new element at to Aft) in order to hold the “blind” 
value of A g . But then for any / G E with t among its domain sort, we have to 
provide a value for Af(at), and hence to add other elements to other range sets 
in order to hold the images of these new elements, in an inductive way. 

Lemma 3. Let E = (S, T, T\jd) and E' = (S, T l±) {y}, r), then 1(17) ocp 1(17'). 

Proof. Let t = rng r(g) if r(g) is functional, and t = r(g) otherwise. 

If t = o, to every 17-algebra A we associate a 17'-algebra A defined by: 

- Vs G 5,M(s) = -4(s), 

- V/ € E,Af = A f , 




On the Complexity of Finite Sorted Algebras 99 

— if r(g) is functional, then Vy € .4(domT(<ji)), A g (x) = T; if r(g) is atomic 
then A g = T. 

This transformation is obviously polynomial and fair. 

If t G S, let St be the set of s £ S such that there exists a path in Gs from 
t to s, and including t. Given a 17-algebra A, to every s £ St we associate a 
different a s such that a s ^ 1+J m g 5^( u )’ anc ^ we build the IC'-algebra A defined 
by (see figure 2): 

— Vs € S — S t ,A(s) = -4(s), and Vs G St, -4(s) = Vl(s) l±) {a s }, 

— V/ G E, if r(/) is atomic then Af = Af, 

— if r(g) is atomic then A g = at, 

— if r(g) is functional then V% G Vl(dom r(g)), A g (x) = a t , 

— if r(/) = d\ x . . . x d n — > r, then V(xi, . . - ,x n ) G A{d\ x . . . x d n ), 

Af(x\, . . . , x n ) = if Xi = Odj or. . .or x n = ad n then a r else Af(x \, . . . , x n ). 



s f t f' u 




The transformation from A to A is polynomial, and we have to prove that it 
is fair. Let B a 17-algebra, and B its extension as above with elements b s . 

If a : A = B, then we extend a to -4(s) by: a a s = b s . If r(g) is atomic, we have 
Ag = a° = b t = B g \ if r(g) is functional, then Vx G y4(dom r(g)), B g (x a ) = b t = 
at = A g (x) a . Moreover, V/ G E, if r(/) is atomic, then Af = AJ = Bf = Bf. 
We now consider the case where r(/) is functional, say r(/) = d\ x . . . x d n — > r; 
V(xi, . . . , x n ) G A(d\ x ... x d n ), we have 

Bf(x1, . . . , x^) = if x\ = bd, or. . .or = bd n then b r else Bf(x°, . . . , x£) 

= if Xi = ad 1 or. . .or x n = ad n then a° else Af(xi , . . . , x n ) a 

Af^Xi, . . . , Xn) . 



The transformation is therefore invariant. 




100 Thierry Boy de la Tour 



Conversely, let a : A = £>, we first prove that Vs € St, af = b s by induction 
on the length of the path form t to s in Gs- If this is 0, i.e. s = t, we have 
Vy € A(dom.T(g)),af = Ag(x) a = Bg(x a ) = h (and similarly if r(g) is atomic). 
If this is true of di (induction hypothesis) and there is an arrow in Gs form 
di to r, i.e. there is a f £ £ with r(/) = d\ x ... x d n — > r, then af = 
Af(a dl , . . . , ad„) CT = Bf{a di ,... , a d ) = b r , since aj). = b di . This completes the 
induction. 

Hence it is clear that \/s £ S, a is 1-1 from A(,s) onto £>(s). \/f £ £ such that 
r(/) is functional, say di x . . . x d n — > r, we have V(xi, . . . , * n ) € A(d\ x . . . x d„), 

-4/( x i> . . .,x n y = Af(x i, . . .,a; n ) <T (since a;, y a di ) 

= . . . , <) (since < b di =a a d .). 

Hence the transformation is fair. 

Theorem 1. if £ C £' then I(£) ocp I(T ,/ ). 

Proof. If £ = { S,tF,r ) and £' = let £" = (. S',tF,r ), we obtain 

I(£) ocp I(£") by induction with lemma 1, and 1(£”) ocp I(T ,/ ) by induction 
with lemma 3. 

3 Non-monadic Signatures 

In this section we study the complexity of sorted objects of arity two. 

Lemma 4. GI ocp I( [~s x s — > o] ) and GI ocp I( |"s x t — > o] ) . 

Proof. An interpretation d of s x s - » o is a binary relation on A(s), which 
is essentially a directed graph with A(s) as set of vertices. Also, any graph 
G = (V, E) can be considered as an adjacency relation, i.e. the interpretation A 
of £ with £p = s x t — » o such that A(s) = V, Aft) = E, and Vu £ V, Ve £ 
E , Ar(v, e) = T iff v £ e. These trivial transformations are fair. 

These two cases will be the base for the five remaining cases of objects of 
arity two. We begin with the essentially unsorted case. 

Lemma 5. I([s x s — * o~| ) ocp I([~s x s — > s~|). 

Proof. If R £ £, f £ £' with £p = s x s — > o and £'j = s x s — > s, and given a 
A-algebra A , we consider two elements which are not in A(s), say t and f, and 
we build the IV-algebra A by _4(s) = A(s)l±){t, f} and (see figure 3) Var, y £ A(s): 

- Af(x, y) = t if Ar(x, y) = T, and f otherwise, 

- A f (x, t) = A f {x, f) = A f ( t, y) = A/( f, y) = A f ( t, t) = A f ( f, f) = t, 

- Af(t, f) = A/(f,t) = f. 




On the Complexity of Finite Sorted Algebras 101 









/ 


a 


b 


t 


f 


R 


a 


b 


t] 


f 


X 


t 


t 


a 


X 


X 


b 


f 


f 


t 


t 


b 


T 


T 


i 


t 


t 


t 


f 








f 


t 


t 


f 


t 



Fig. 3. From a, R : s x s — > o to a / : s x s - > s 



This transformation is polynomial, and invariant: given two A-algebras A and 
B (and B is constructed with elements t', f), it is easy to extend any a : A = B 
to a X-isoiriorpliism between A and B , by taking t a = t' and fff = f. 

Conversely, suppose that a : A = B. We have Vx, y G A(s),Af(x,y) a = 
Bf(x a , y a ) € hence {t^f 7 } = Vz € {t, f}, by definition we have 

t' = Bf(z a , z a ) = Af(z, z) a = t CT , and f CT = f , from which it is easy to conclude 
that a : A = B, hence the transformation is fair. 

In the next case, compared with the previous one, we release the constraints 
by taking one argument of a different sort. The main difference with the previous 
case is that we are no longer able to avoid f 7 yf f, but this only occurs in a 
particular, harmless case. 

Lemma 6. I(|~s xf-toj) ocp I([~s xf->f]) oc p I([~t xs->f]). 

Proof. As in the proof of lemma 5, if Sr = sxf-) o and S'^ = s x t — > t, 

and given a A-algebra A we build the A'-algebra A by A(s) = A(s), A(t) = 
Aft) l±l {t, f}, and (see figure 4) V(x, y) € A(s x t ): 

— Af(x, y) = t if Ar(x, y) = T, and f otherwise, 

- A f {x,t) = A f (x, f) = t. 

This transformation is trivially polynomial and invariant. 



R 


a ' 


b' 


/ 


a' 


b 1 


t 


f 


a 


X 


T 


t] 


T 


t 


t 


t 


b 


_L 




b 


f 


f 


t 


t 



Fig. 4. From afl:sxf-4otoa/:sxf->f 



If a : A = B, with A, B two If-algebras, we have Vx G A(s), t CT = Af(x, t) CT = 
Bf{x rT A a ) £ {t'jf}, hence t CT = Bf(x a , t CT ) = t'. If 3 (x,y) G A(s x t) such 
that Aii(x,y) = J_, then f 7 = Bf(x a ,y a ) G {t',f}, hence f 7 = f, from which 
it is easy to prove that a : A = B. If V(x, y) G A(s x t), Ar(x, y) = T, then 
Bf(x cr , y cr ) = t a = t', and hence V(x, y) G B(sxt),BR(x, y) = T, and A and B are 
also isomorphic. This proves that the transformation is fair. I(["s x t — > f"|) exp 
I( ft x s — » t]) is obvious. 




102 Thierry Boy de la Tour 



The next case is a further release of constraints by taking a third sort for the 
range. This time things get more complex, because the target structure has one 
more sort than the source, and we have to preclude any unwanted isomorphism 
on this new sort. 

Lemma 7. 



I( |~s x t — > o] ) ocp I( |~s x t — > u] ) 

I(\s x s — > o]) oc p I(fa x s — > w"|) 

Proof. If R £ E, f £ S' with Er = sxt-4 o and E/ = s x t — > u, given a 17- 

algebra A we build a If'-algebra A in the following way. We first consider two sets 
S, T such that S , T, ^4(s), Aft) are disjoint two by two, and \S\ = |„4(s)| + l, \T\ = 
|.4(i)| + 1, and we also consider t, f as above. A is build as follows (see figure 5): 

— .4(s) = 4(a) W S, Aft) = Aft) W T, Afu) = {t, f} , 

— V(x, y) € „4(s x t),Af(x, y) = t if either x £ S and y £ T, or x $ S, y $ T 
and Ar(x, y) = T; otherwise Af(x, y) = f. 

The transformation from A to A is obviously polynomial, and invariant: given 
17-algebras A,B (and B is constructed with sets S' ,T' and elements any 

^-isomorphism a : A = B can be extended by t CT = t', f a = f , by any bijection 
from S to S' and from T to T'). 



R 


a' b' 


a 


A T 


b 


X X 



Fig. 5. From ai?:sxf-»otoa/: 



f 1 


a' 


6' 


c' 


d' 


e' 


n 


f 


T 


f 


f 


f 


b 


f 


f 


f 


f 


f 


c 


f 


f 


t 


t 


t 


d 


f 


f 


t 


t 


t 


e 


f 


f 


t 


t 


t 



xt-^M, with S = {c, d, e}, T = {P , d', e'} 



If a : A = B, we have {t CT , f CT } = {t', f } as above. Let n = |^4(s)|, m = |-4(f)|, 
we can view Af as a (n, m)-matrix; it clearly contains a sub-matrix uniformly 
equal to t (this is (-4/)|s x t)> hence the (n,m)- matrix Bf contains a (|5|, |T|)- 
matrix uniformly equal to t CT , and also a (|«S I/ |, T'lj -matrix uniformly equal to 
t'. Since |5'| = |5| > n/2 and \T'\ = \T\ > m/2, these sub-matrices have to 
intersect, hence t a = t', and = f hold. 

Suppose there is an x £ S such that x a £ S', then My £ T,Bf(x a ,y a ) = 
Af(x, y) a = t', hence y a fL V . Therefore B a n V = 0, hence B a C B(s), which 
is impossible since \T a \ = |Tj = \T'\ > |S(s)|. We conclude that Mx £ S,x a £ S' , 
hence -4(s) CT = B(s), and similarly -4(t) CT = B(t ), and we easily obtain a : A = B, 
which proves that the transformation is fair. This proof holds if s = t by taking 
S = T. 




On the Complexity of Finite Sorted Algebras 103 



Theorem 2. If £ is a non-monadic signature, then 1(17) is isomorphism com- 
plete. 

Proof. £ contains a / such that £f is not monadic. Let r = mg £ f, s,t the last 
two sorts in dom47/ (we may have s = t), and r = s x t — > r, by successive 
applications of lemma 2 we obtain I([Y]) ocp I(|T7/]). By theorem 1, we also 
have I( \£ f ] ) oc P I(i7). 

If r = o, lemma 4 yields GI ocp I(|V|). If r is a sort, we have three different 
cases. If r ^ {s, t}, we also use lemma 7 to get GI ocp I( [r] ), if r = s = t, we 
use lemma 5, and if r G {s, t} with s t, we use lemma 6 to get the same result. 
We therefore have GI ocp I(|"r]) ocp I(|~27/"|) ocp 1(£) ocp GI (this last fact is 
well-known, see e.g. [3] [4]). 

4 Hard Monadic Signatures 

In this section and the next we only consider monadic signatures. From now on, 
the term “monadic functions” refers to function symbols which are not predicate 
symbols. We will prove that the complexity of binary relations can be simulated 
by pairs of well chosen monadic functions. The criterion for a pair of functions to 
have this property is purely syntactic: they should have the same domain sort. 
In graph theoretic language, this means that this domain sort s, as a vertex of 
Gs, has an output degree (number of edges out of s, noted d + (s)) at least 2. 
We start with the case where these monadic functions have different domain and 
range sorts. 

Lemma 8. 

t(\t X U — > o]) ocp I(|"s — > t, S — > ti]) 

I( f£ x t — > o]) ocp I(|~s — > t, s — > t}) 

Proof. Let £ be the signature with the unique symbol R and £ R = i x u — > o, 
and £' with only the symbols /, g and £f = s — > t and £' g = s — > u. To any 
17-algebra A we associate the ^'-algebra A defined by (see figure 6) : 

- A(t) = A(t),A(u) = Al(u), 

- A(s) = {(x,-y) €~A(t x u)/A R (x,y) = T}, 

- V(x,y) G A(s),Af({x,y)) = x and A g ({x,y)) = y. 

If a : A = B, we extend a to all (x,y) G ^4(s) by (x,y) a = (x a , y a ). Since 
V(x, y) G Aft x u), we have (x,y) G ^4(s) iff A R (x,y) = T iff B R (x a ,y a ) = T 

iff (x a , y a ) = (x, y) a G B(s), then a is clearly 1-1 from Al(s) onto B(s). We also 

have V(x, y) G A{s),Af{{x,y)Y = x a = Bf((x, y} a ), and similarly for g , hence 
a : A = B.~ 

If a : A = B, then V(x, y) G Al(s), we have Bf((x,y) a ) = Af{{x,y)) a = x a , 
and Bg{{x, y) a ) = y a , hence (x,y) a = (x <T ,y <T ). Then V(x, y) G Aft x u), we 
have A R (x,y) = T iff (x,y) G Al(s) iff ( x,y) a G B(s) iff B R (x a , y a ) = T, hence 
a : A = B. The transformation is therefore fair, and it is trivially polynomial. 
This proof holds if t, = u. 




104 Thierry Boy de la Tour 




Fig. 6. From a, R : t x u — > o to a / : s - + t, g : s u 



We now turn to the case where monadic functions have the same domain and 
range sort, which is more difficult than the previous one since we somehow have 
to “mix” in one set both the domain and the range of a function. 

Lemma 9. 

I( fs X S — ► o]) ocp I( [£—>£,£—> it]) 

I( fs x s — + o]) kp I([i t]) 

Proof. Let £ be the signature with the unique symbol R and U R = s x s — > o, 
and £' with only the symbols /, g and = £ — > £ and £' g = £ — * u. To any 
47-algebra .4 we associate the 47'-algebra A defined by (see figure 7): 

- A(t) = {(a:, £)/x G A(s)} W {(y, z, t)/y , 2 G A(s),A R (y, z) = T}, 

- A(u) = {{x, u)/x G A{a)} W {(y, z, u)/y, z G A{s),A R (y,z) = T}, 

- V(x, £) G .4(f), „4/((x, £)) = (x, £) and ,4 g ((x, £)) = (x, it), 

- V(t/, 2 , £) G -4(£), -4/((y, 2, £)) = (y, £) and .4 g ((y, 2 , £)) = ( 2 , it). 

Remark that .4(£) D A(u) = 0 and t = u => „4(t) = .4(it). 




/ 9 

{ a,b,t ) / (a, ft, it) 

Fig. 7. From ai?:sxs->otoa/:£->£,j:£->u 



If u : ^4 = £?, we consider the function a from *4(£) to B(t) and from „4(it) to 
B(u) defined by: Vx G -4(s), and Vy, 2 G .4(s) such that A R (y, z) = T, 




On the Complexity of Finite Sorted Algebras 105 



- (x,t) a = {x a ,t), 

- (y,z,t) a = (y°,z°,t), 

- ( x,u) a = ( x a ,u }, 

- ( y,z,u) a = ( y a ,z a ,u ). 

Since \/x G Al(s), we have (x,t) € A(t) iff x G .4(s) iff x a € B(s) iff (x a ,t) — 
( x,t) a € B{t)\ and Vy, z € -4(s), we have ( y,z,t } G .4(t) iff Aii(y,z) = T iff 
Bn(y e7 ,z' 7 ) = T iff (y a ,z a ,t) = ( y,z,t) a G <B(t), then a is 1-1 from A(t) onto 
B(t), and similarly 1-1 from A(u) onto B(u). 

By definition of a, Af and Bf we have \/x G A(s), Af((x,t)) a = ( x,t) a = 
(x a ,t) = B f ({x a ,t )) = B f ((x,t) a ) and \/{y,z,t) G »4(t), -4/((y, 2 , f))“ =~{y,t) a = 
(y a ,t) = Bf{{y a ,z a , t )) = Bf((y, z, t) a ). Similarly, by definition of a, A g and B g 
we have \/x G «4(s), A g ((x, t)) a = ( x, u) a = ( x a , u ) = B g ((x a ,t)) — &g(( x A) a )i 
and V(y,z,t) G A(t),A g ((y,z,t)) a =~(z,uY* = {z a ,u) = B g {{y a , z a ,t)) = 
B g ((y, z,t} a )- We conclude that a : A = B, and that the transformation is 
invariant. 

Conversely, if a : A = B, then \/x G A(s) , B f ((x , t) a ) = Af((x,t)) a = { x,t) a > 
i.e. (x, t) a is a fix point of Bf, hence is of the form (y, t), with y G B(s), and this 
y is unique (for a is 1-1); this defines a function a from _4(s) to B(s). We also 
have V(y,z,t) G A(s),B f ((y, z,t) a ) = A f ({y,z,t)) a = ( y,t) a , hence ( y,z,t) a 
is not a fixpoint of Bf, and should therefore be of the form (y r ,z',t). Since a 
is 1-1 from A(t) onto B(t), it is therefore also 1-1 form {{x,t)/x G Al(s)} onto 
{(yA)/y G ^( s )}i hence a is also 1-1 from Al(s) onto B(s). 

\/x G Al(s), since x a G B(s), we have B g ((x cr ,t)) = ( x a ,u ), and by definition 
of a we have (x a ,t) = ( x,t) a , hence by isomorphism ( x a ,u ) = A g ((x,t)) a = 
(x,u) a . We therefore have \/(y,z,t) G A(t),B g ((y,z,t) a ) = A g ((y, z,t)) a = 
(. z,u) a = ( z a ,u ), while Bf((y,z,t) a ) = ( y,t) a = ( y a ,t ) has been established 
above. We know that (y, z, t) a is of the form (y r ,z' , t ), hence by definition of Bf 
and B g we get y' = y° and z' = z a . 

We conclude that \/y, z G A{s),A{y,z) = T iff ( y,z,t ) G A(t) iff ( y,z,t) a = 
(■y a ,z l7 ,t) G B(t) iff B(y a ,z a ) = T, hence that a : A = B. Hence the transfor- 
mation is fair, and trivially polynomial. This proof holds if t = u. 

Theorem 3. If £ is a monadic signature such that d + (Gi;) > 1 then 1(17) is 
isomorphism complete. 

Proof. If d+(G E ) > 1, then 3s G S,3f,g G £ such that dom / = doing = s. 
If rng f = s or rng g = s, we use lemma 9, otherwise lemma 8, and we get 
GI ocpI(\£f, £g\) (together with lemma 4). We then proceed as in theorem 2. 

5 Easy Monadic Signatures 

We now prove that the isomorphism problem for all other signatures, i.e. monadic 
such that Gs has output degree at most one, is polynomial. We first provide the 
simplest possible representation of the corresponding algebras. 




106 Thierry Boy de la Tour 



Definition 3. A graph G = (V, E) is a partial function graph (or PFG), if E 
is the graph of a partial function from V to V. A labeled PFG (or LPFG), is a 
vertex-labeled graph whose underlying graph is a PFG. The isomorphism problem 
between LPFG’s is noted LPFGI. 



Lemma 10. If £ is monadic and d + (Gi;) < 1 then 1(17) ocp LPFGI. 

Proof. We transform 17-algebras A into graphs. Vs £ S , let T s be the set of 
predicate symbols of type s — > o in £, and \/x £ -4(s), let 

'Pa(x) = {P £ V s /Ap(x) = T} and Cy i(x) = {c £ £/£ c = s and A c = x}. 

To any s £ S and x £ «4(s) we associate a different vertex v(s, x) labeled by 
(s, Va(x),Ca(x)). To any function symbol / £ £, say £ f = s —* t (with possibly 
s = t), and any x £ A(s) we associate the directed edge (v(s, x),v(t,Af(x))) (see 
figure 8), thus constructing a labeled directed graph Ua, called the underlying 
graph of A. Remark that Vs £ S, \/x £ -4(s), there is at most one / £ £ such 
that dom / = s, hence there is at most one edge out of v(s, x). Hence the graph 
Ua is a LPFG. The transformation from A to Ua is polynomial. 



/ 




( (s,{P 


h{e» ) v ( s ’ a ) 


T 

\ 


1 


( <s,{P},0> ) v(s,b) 


a i 


1 


( ( (s, 0, 0) ) v(s,c) 






Fig. 8. An algebra A and the corresponding Ua , with /:s— »s, P:s— »o,e:s 



We now consider two 17-algebras A, B and their underlying graphs Ua and 
Us (where Us is constructed as above with vertices v'(s,x )), and we first prove 
that the transformation is invariant. 

If a : A = £>, let a be defined by Vs £ S,\/x £ A(s),v(s,x) a = v'(s,x a ), it 
preserves labels iff Va{x) = Vsix 0 ) and Ca{x) = Cs(x a ), which is obvious since 
VP £ V s ,Bp(x) = Ap(x a ) and Vc £ £, c £ Ca( x) iff A c = x iff B c = Af = x a 
iff c G Cs(x a ). Edges are also preserved by a, since (v(s, x), v(t, Af(x))) a = 
(v(s,x a ),v(t,Bf( x a ))) is an edge of Us , hence a : Ua — Us- 

Conversely, if a : Ua — Us , then Vs £ S,\/x £ -4(s), by the preservation of 
labels there is a unique y £ B(s) such that v(s, x) a = v'(s, y), and we note it x a . 




On the Complexity of Finite Sorted Algebras 107 



For any / Go - , say Ef = s — > t, then \/x £ -4(s), the unique edge out of v(s, x) a 
should be the image of the unique edge out of v(s, x), i.e. (v(s, x), v(t, Af(x))) a = 
(v'(s,x <T ),v , (t,Bf( x 17 ))), hence Af(x) a = Bf(x a ). Moreover, for any P € E, say 
Ep = s —> o, then Vx £ A(s), we have Ap(x) = T iff P £ Va(x), part of the 
label of v(s, x), iff (by the preservation of labels) P £ Vb{x ° ), part of the label 
of v'(s, x a ), iff Bp{x G ) = T. Similarly, for any c £ E, let x = A c and s = E c , we 
have c £ C^(x), part of the label of v(s, x), hence c £ Cs{x a ), part of the label 
of v'(s, x a ), hence B c = x a = A a c . Hence a : A = B. 

Remark that not all LPFG’s correspond to 17-algebras, since the structure 
of labels is a special one. The following proof analyses the structure of PFG’s, 
hence gives good insight into the structure of “simple” algebras. 

Lemma 11. The problem LPFGI is polynomial. 

Proof. Since testing the isomorphism of two graphs with n connex components 
each requires 0(n 2 ) tests of isomorphisms between connex components, we may 
only consider connex LPFG’s. In such a graph G = (V, E), there is at least one 
undirected path between two vertices Vi,V 2 - If d + (ui) = d + (v 2 ) = 0, then such 
a path must contain a third vertex v with d + (u) > 2, which is impossible. Hence 
there is at most one vertex r with cl + (r) = 0. If there is such a r, then the 
number of vertices exceeds the number of edges by one, hence G is a tree, with 
edges directed to the root r. 




Fig. 9. Example of a PFG 



If there is no root in G, i.e. Vu £ V, d + (u) = 1. Let vq £ V , and Vi £ N, Vi + \ 
is the unique vertex such that (vi,Vi+ 1 ) £ E. Since V is finite, 3 i,j,i < j and 
Vi = Vj, hence G contains a cycle, of length c = j — i. By removing one edge 
from the cycle we obtain a connex LPFG with a root, hence a tree, which proves 
that G is a cycle of trees (figure 9). 

It is clear that testing the isomorphism of two cycles of c labeled trees requires 
at most 0(c 2 ) tests of isomorphism between labeled trees, well-known to be 
polynomial. 




108 Thierry Boy de la Tour 



Theorem 4. If £ is monadic and d + (G.c) < 1 then I(i7) is polynomial. 

Proof. This is a direct consequence of lemmas 10 and 11. 

Therefore, if we agree that GI is not polynomial, we get the result that 1(17) 
is not isomorphism complete only in the case that £ is monadic and no two 
functions have the same domain sort. To state it differently, a finite 17-algebra 
can fairly represent a graph if and only if either £ is not monadic or contains 
at least two function symbols with the same domain. Remark that monadic 
predicates have no influence on 1(17). 

If we translate this result to standard first order signatures (without sorts), 
which is equivalent to the sorted case with |<S| = 1, we get that I(i7) is not 
isomorphism complete exactly when £ is monadic and has at most one func- 
tion symbol. In comparison, the sorted case has a much richer structure, since 
polynomial cases are obtained with any monadic £ such that Ge is a PFG, and 
any PFG can be obtained as a Ge (more than once since atomic objects and 
monadic predicates are not represented in Ge). However, the PFG underlying 
a 27-algebra A may not be any PFG, and is closely dependent on Ge- For in- 
stance, f7 4 may contain trees as connex components iff this is also the case of 
Ge- Hence our embedding of simple algebras into LPFG, though fair, is not an 
exact one. 

References 

1. M. Garey and D. S. Johnson. Computers and intractability: a guide to the theory 
of NP- completeness. Freeman, San Francisco, California, 1979. 

2. C. Hoffmann. Group-theoretic algorithms and graph isomorphism. Lecture Notes in 
Computer Science 136. Springer Verlag, 1981. 

3. Dexter Kozen. Complexity of finitely presented algebras. In Conference Record 
of the Ninth Annual ACM Symposium on Theory of Computing, pages 164-177, 
Boulder, Colorado, 2-4 May 1977. 

4. Gary L. Miller. Graph isomorphism, general remarks. Journal of Computer and 
System Sciences, 18:128-142, 1979. 




A Further and Effective Liberalization of the 
(5-Rule in Free Variable Semantic Tableaux 



Domenico Cantone and Marianna Nicolosi Asmundo 



Universita di Catania, Dipartimento di Matematica 
Viale A. Doria 6, 1-95125 Catania, Italy 
{cantone ,nicolosi}@cs .unict . it 



Abstract. In this paper, we present a further liberalization of the (5-rule 
in free variable semantic tableaux. It is effective in that (1) it is both a 
natural and intuitive liberalization, and (2) can reduce the proof size non 
elementarily as compared to previous versions of the (5-rule. 



1 Introduction 

Proof procedures for first-order predicate logic such as semantic tableaux need 
means to deal with existential quantifiers. In general there are two different 
ways to do this. One way is to Skolemize the formula to be proven in a pre- 
processing step, obtaining a purely universal formula at the expense of a richer 
signature. The other approach is not to use a preliminary Skolemization but to 
add a tableau expansion rule for treating the essentially existential formulae, so 
that Skolemization is performed during the proof construction when existential 
formulae are encountered on tableau branches. In substance, there is no differ- 
ence in applying either of the two methods, but we believe that adding a rule 
for the existential formulae to the tableau expansion rules and eliminating the 
preliminary Skolemization phase makes the proof procedure more natural and 
is generally preferable. 

In this paper we follow the second approach, presenting an expansion rule 
for existential formulae based on the global Skolemization technique described 
in [4] and [3] . The central idea of our method is to perform - during the proof 
- a “delayed” global Skolemization of the formula to be proven. This approach 
differs from the widespread “local” Skolemization technique in that the (infinitely 
many) Skolem function symbols for eliminating all existential quantifiers are 
introduced in a single shot. 1 

We will define a (5-rule going beyond existing (5-rules in the literature in that 
sense, which is able to reflect structural similarities in a natural way. This reduces 
the number of Skolem functors and of variables dependencies in the proofs. 



1 In [4] and [3] the possibility is contemplated to get rid of the universal quantifiers as 
well, returning a formula devoid of quantifiers. 



R. Caferra and G. Salzer (Eds.): Automated Deduction, LNAI 1761, pp. 109—125, 2000. 
(c) Springer- Verlag Berlin Heidelberg 2000 




110 



Domenico Cantone and Marianna Nicolosi Asmundo 



2 Preliminaries 

Before going into details, we introduce some notations and terminology. 



2.1 Signatures and Languages 

Let E = (V,F) be a signature , where V and T are countable collections of 
predicate and function symbols, respectively, and let Var be a fixed countable 
collection of individual variables. Then the language Ce is the collection of all 
first-order formulae involving besides the standard logical symbols, individual 
variables in Var, and predicate and function symbols of the signature E. 

For any formula p in the language Ce, the collection of free variables occur- 
ring in p is denoted by Free(p). 

It is convenient to assume that the individual variables Var are arranged in 
a sequence . . . , X-2, X-i, xq, xi, X2 , . . ., and that two subsequences 



— Var = {x-i, X-2, ■ • •} (to be used later for bound variables), and 

— Var + = {#0, xi, X2, ■ ■ •} (to be used later for free variables) 

are singled out. Then by C\ we denote the collection {p £ Ce : Free(p) C 
Var + }. 

Without loss of generality, we will assume in the following that no formula 
contains free occurrences of variables in Var~ . 

Given a finite set S C Var + , we denote by 1 ? the sequence of variables in S 
ordered by increasing index. 



2.2 Structures and Assignments 

A structure M = (P,X) for a signature E = ( V,T ) consists of a domain V 
and of an interpretation X for the function and predicate symbols in E such 
that P x : £> arlt y( p ) — > {true, false}, for every predicate symbol P £ V, and 
fi . parity (/) £>, for ever y function symbol / £ T . 

An assignment A relative to a structure At = (V,X) and to a language Ce is 
a mapping A : Var — > T>. An x- variant of an assignment A is an assignment A ' 
such that y A = y A , for every variable y different from x. We use the notation 
A[x <— d] to denote the a> variant of A such that x A = d, where d £ V. 

The notions of satisfiability and validity of a (set of) formula(e) are the 
standard ones. So, for instance, we write (A4, A ) \= p to express that the formula 
p is true when its predicate and function symbols are interpreted by X, its free 
variables by A, and its logical symbols are interpreted in the classical way. In 
such a case we write also p I,A = t. The notation M. \= p is used to indicate 
that {M ,A) \= p, for every assignment A , whereas j= p denotes that M \= p, 
for every structure Ai over the signature of the language. 




A Further and Effective Liberalization of the 5- Rule 



111 



2.3 Unifying Notation 

For the sake of simplicity we use Smullyan’s unifying notation, which has the 
advantage of being compact, cutting down on the number of cases that must be 
considered. Smullyan divides the formulae of the language into four categories: 
conjunctive, disjunctive, universal, and existential formulae (called a-, 0-, 7-, 
and (5-formulae, respectively). According to this notation, our interest is clearly 
devoted to (5-formulae. 

Given a (5-formula 5, the notation 5o(x) will be used to denote the formula 
ip, if (5 is of the form (3x)ip, or -up, if 5 is of the form “i(Va :)tp. In any case, we 
will refer to 5o(x) as the instance of 5 and to x as the quantified variable of 6. 

Likewise, for any 7- formula 7, 70 (x) denotes the formula (p of -up, according 
to whether 7 has the form (\/x)ip or -i(3 x)ip, respectively. 

Let us define the complement operator C over a language Cs'- 

(2 X = ->Z 

^ ' ( -iX otherwise. 

Then to each a- and /3-formula, one can associate two components, denoted 
respectively by on, a 2 and by /3i, 02, in the following way. 



a 


Ct 1 


Oi2 


0 


0i 


02 


IA Y 


A' 


Y 


Ivf 


X 


Y 


->(X V Y) 


C(A) 


con 


->(X A Y) 


C(A) 


c (Y) 


-’(X D Y ) 


X 


con 


(AdF) 


C(A) 


Y 



The following equivalences hold: 

|= a = ai A a 2 \= 0 = 0i f\02 |= 7 = (Vx)jo(x) 1= 5 = (3x)5q(x) . 



2.4 Different Variants of the 5-Rule 



As semantic tableaux have recently been subject of a renewed interest, many 
attempts have been made to optimize them. One of the main goals has been to 
obtain shorter proofs by means of strategies which restrict the search space. 

An important role has been played by the 5-rule, which has gone through 
various liberalization phases since its introduction in [7] . 

We start with the original proviso of the 5-rule in the context of ground 
tableaux, where the signature has been enriched with a countable collection C of 
new parameters of arity 0, so that the introduction of an “uncommitted” (new) 
parameter is always guaranteed (thus preserving the soundness of the system). 
That leads to the following formulation: 



5 

W ’ 



(1) 



where p is a new parameter not occurring in the branch to which the 5-rule is 
applied. 




112 



Domenico Cantone and Marianna Nicolosi Asmundo 



A first liberalization of (1), due to Smullyan, allows the same parameter p to 
be used more than once, provided that either it does not occur on the current 
branch, or the following conditions hold simultaneously (cf. [7]): 

— p does not occur in <5; 

— p has not been previously introduced by any application of the (5-rule; 

— (5 contains no parameter that has been introduced by a (5-rule. 

Notice that such restrictions allow to use, when expanding (5-formulae, parame- 
ters already introduced by expansions of 7- formulae. 

On the other hand, the 7-rule for ground tableaux causes problems in closing 
branches. In fact it is too liberal, as it allows to substitute the quantified variable 
with an arbitrary and fixed, ground term. Since the choice of a term could be the 
wrong one, the 7-rule may need to be applied several times to the same formula. 

A solution to this problem has been the introduction of free variables in 
semantic tableaux, in order to postpone the instantiation of terms until when 
more information is available. In this case, the signature needs to be extended 
with a collection T' of new function symbols containing countably many function 
symbols of any given arity. 

Accordingly, in free variable tableaux the (5-rule has been modified as follows: 

5o(f(xi,...,Xn)) ’ ^ 

where x\, . . .,x n are the free variables occurring on the branch to which the 
(5-rule is applied, and / is a new function symbol (cf. [5]). 

Subsequently, Hahnle and Schmitt realized that the proviso in (2) is too 
strong and can be weakened by requiring that Xi, ... ,x n are the free variables 
occurring in 6 and f is a new function symbol , thus introducing the <5 + -rule (cf. 
[6]). Clearly, reducing the number of free variables in Skolem terms make the 
tableau system more efficient, as it allows a faster closure of the branches. 

Beckert, Hahnle and Schmitt observed later that even the requirement that 
the Skolem function symbol must be new to the branch can be weakened, leading 
them to the introduction of the following <5 + -rule (cf. [2]): 



6 

^0 (/[<5] (•£ 1 5 • * * ; *£ri)) 



(3) 



where Xi, ... , x n are the free variables occurring in S and is a new function 
symbol assigned to the collection of formulae which are identical to (5 up to 
variable renaming (including renaming of bound variables) . 

Finally, another variant of the (5-rule, which has been called <5*-rule, has been 
introduced by Baaz and Fermiiller in [1], leading to a non-elementary speedup 
with respect to previous variants of the (5-rule. It can be formulated as (3) but 
with the proviso that Xi . . . , x n are the relevant variables occurring in 6. More 
specifically, one first defines for any formula p, the set Rel(ip, x) of free variables 
that occur relevantly w.r.t. a free variable x as follows: 




A Further and Effective Liberalization of the S - Rule 



113 



- If x £ Free{p), then Rel(p, x) = 0. 

Otherwise: 

- If p is an atomic formula, then Rel(tp , x ) = Free(ip) \ {a:}. 

- If p = -iip, then Rel(p , x) = Rel(ip, x). 

- If p = ipi V ip 2 and x (f Free{ipi), with i £ {1,2}, then Rel(p,x) = 
Rel(ip 2 -i , x). If x € Free(ipi) fl Free{ip 2 ), then Rel(p , x) = Free(p) \ {a;}. 
(Similarly for p = ip\ A ip 2 and p = ip\ D ip 2 -) 

- If p = ( Qy)ip , then Rel(p,x) = Rel(ip,x) \ {(/}, where the occurrence of Q 
is strong in the original formula; 2 otherwise Rel(tp, x) = Free(<p) \ {a:}. 

If S is a (5-formula with quantified variable x, then the set of relevant variables 
of (5 is defined as Rel(So{x),x). Notice that in general, the relevant variables of 
a formula S can be a proper subset of Free(6). 

3 A New Liberalization of the 5-Rule 

The new liberalization of the (5-rule presented in this paper, called (5* -rule, 
is based on the combination of (a recursive generalization of) the concept of 
relevant variables together with the notion of key formulae (adapted from [4]). 

As we will show, the overall effect will be not only a general reduction on the 
number of variable dependencies in Skolem functions, but also a wider reusability 
of the same Skolem symbols, thus leading to shorter tableau proofs. 

3.1 Canonical and Key Formulae 

The notion of key formulae is of great importance to the technique of global 
Skolemization, as it characterizes the formulae in the language that need to be 
assigned their own Skolem function symbol. We will see that to each formula 
there corresponds a unique key formula. 

Before going into details, we intuitively clarify the concept with some exam- 
ples. 

Example 1. Suppose that during the construction of a tableau, we need to ex- 
pand the (5-formula (3a:)r(x, y). Application of either the <5 + - or the (5*-rule 
would result in the formula r(gpy), y ), with g a new function symbol. 

If later in the proof, we have to expand the formula (3w)r('ic, z), again both 
(5-rules would recognize that the same Skolem function symbol g introduced for 
(3x)r(a;, y) can be reused, since the two (5-formulae are identical up to variable 
renaming. Thus, the expansion results in the formula r(g(z),z). 

However, if we need to expand the (5-formula (3x)r(x, k(z)), then both <5-rules 
would introduce a new Skolem function symbol, say /, resulting in the formula 
r(f(z),k(z)), whereas the (5* -rule would recognize that the same previously 
introduced Skolem symbol g can be reused again, as all three (5-formulae share 
the same key formula r{x o, aq), thus yielding r(g(k(z)), k(z)). □ 

2 We recall that in our context an existential quantifier occurrence is strong if it is 
positive and that a universal quantifier one is strong if it is negative. 




114 



Domenico Cantone and Marianna Nicolosi Asmundo 



Example 2. Let us suppose that the following formulae occur in a tableau proof: 

(3 x)p(x,y) (3w)p(w, f(f(z))) (3 x)p(x,h(h(h(z)))) . 

If we apply any of the previous versions of the (5-rule (see [5], [6], [2] and [1]), 
then we have to assign a different Skolem function symbol to each of them. On 
the other hand, applying the (5* -rule, the same Skolem function symbol can be 
reused, since all the above formulae share the same key formula p(x o, xf). □ 



We now proceed to formally define the notion of key formulae. This definition 
is slightly different from the one given in [4] and [3] , since now a key formula is 
allowed to contain quantifiers. 

We first define the notion of canonical formulae. 

Definition 1. A formula p is said to be canonical (with respect to the vari- 
able xq ) if: 

— there is a k > 0 such that the bound variables of p are {x_i, . . . , X-k}, these 
appear in p in the order x_i, . . . , X-k from left to right, and each, of them is 
quantified only once (though may occur multiply); 

— there is an n > 0 such that Free{p) \ {xo} = {x\, . . .,x n }, these variables 

appear in p in the order xi,...,x n from left to right, and each of them 
appears only once in p. □ 



Every formula p can be canonized with respect to a designated variable x, in 
the sense that there exists a unique corresponding canonical formula p, such that 
p and pa are equal up to renaming of bound variables, where a is a substitution 
free for p which maps variables into variables and such that xa = xo- 

Example 3. The canonical formula p\ with respect to x corresponding to the 
formula 

V = {3y)(3z)(R(x, f(y),z, h(w, w)) A Q(u, v)) 
is 

PI = (3x-i)(3x-2)(R(xo, f(x- 1), x_2, h(xi, x 2 )) A Q(x 3 , x 4 )) . 

□ 



We define key formulae to be canonical formulae that are most general with 
respect to substitutions. 

Definition 2. A formula p is said to be a key formula if 

— it is canonical with respect to Xo, and 

— for each canonical formida if>, if there is a substitution a which is free for 

(3xq )ip an< i such that p = ifa XQ , then = p. 3 □ 



3 We recall that a xo denotes the substitution which leaves xo unchanged and otherwise 
is equal to a. 




A Further and Effective Liberalization of the S - Rule 



115 



To any formula of the language there uniquely corresponds a key formula, as 
the following lemma states. 

Lemma 1. Let ip be a formula in the language and let a £ Var + be any 
variable. Then there exists a unique key formula p, denoted by Key(ip,Xi), and 
a non-empty collection of substitutions free for p, denoted by SubstKey(ip,Xi), 
such that for each a £ SubstKey(ip , xf) we have 

— ip and pa are identical up to renaming of bound variables, 

— Xo a — Xi, and 

— Xi does not occur in xa for x ^ Xq. 

Sketch of the proof. The following algorithm construct a key formula p and 
a substitution a which satisfy the conditions of the lemma. 

1. Rename all bound variables in ip by x_i, X- 2 , ■ ■ going from left to right. 
Let ip\ be the resulting formula. 

2. Locate in ipi the leftmost term t\ not containing Xi or any bound variable 
and continue the process until a term t n is found such that there is no further 
term not containing X{ or any of the bound variables. Let t\, . . . ,t n be the 
sequence of terms so obtained. 

3. Let p be the formula resulting from simultaneously substituting in ip\ the 
terms x, t \, . . . , t n by the variables xq, x\, . . . , x n , respectively, and let a = 
{xq/x, Xi/ti, . ..,x n /t n }. 

4. Return p and a. 

Uniqueness of p can easily be shown. ■ 

Example f. We continue from Example 3. The key formula with respect to x 
corresponding to 

T = (3y)(3^)(i?(a;, f(y), z, h(w, w)) A Q(u, v)) 
is 

P 2 = (3x- 1 )(3x- 2 )(E(x 0l f(x-i),X- 2 , Xi) A Q(x 2 , x 3 )) . 

A substitution a satisfying the conditions of the above lemma is 
a = {x 0 /x, xi/h(w,w), x 2 /u, x^/v} . 

Notice that we have 

p 2 a = (3x_i)(3x_ 2 )(R(x, /(x_ i), x_ 2 , h(w, w )) A Q(u , t>)) . 

□ 



3.2 Relevant Extracted Formulae 

In [1] the notion of relevant variables of a formula p with respect to a free vari- 
able x is introduced, in order to reduce the number of arguments in Skolem 
function symbols (cf. the end of Section 2.4). One can go further by using a re- 
cursive definition of relevant variables. Instead, we define the notion of relevant 
extracted formulae, that not only allows to reduce the number of arguments in 
Skolem terms (and thus the number of variable dependencies) but also, in com- 
bination with the notion of key formulae, allows to generate the same Skolem 




116 



Domenico Cantone and Marianna Nicolosi Asmundo 



symbols for existentially quantified formulae that differ only in irrelevant sub- 
formulae such as, for instance, the formulae (3 x)(p(x) A q) and (3x)(r V p(x)). 

For the purpose of simplifying the statement of the following definition, we 
introduce the concept of “empty formula”, to be denoted by A. We do not bother 
to interpret A in any particular way. We only require that both -i A and (Qy)A, 
where Q stands for any quantifier, are to be considered as syntactic variations 
of A, and that A® ip, ip ® A, where ® stands for any binary connective, are to 
be considered as syntactic variations of ip, for any formula ip. 



Definition 3. Let ip be a formula, and let S be a set of variables. We define the 
relevant extracted formula for ip w.r.t. S, denoted by RelF(ip, S), as follows 

— if Freefp) 0 5 = 0, then RelFfip, S) = A, 

— otherwise: 



RelFfip, S) 



RelFfip, S) 

RelF(a i, S) A RelF(ot 2 , S) 
' RelF(Pi, S) V RelF(P 2 , S) 
(3y)RelF(6 0 (y),SU{y}) 
{Vy)RelF( / yo(y), S U {y}) 



if ip is a literal 
if<P= ^~"P 
if p = a 
if <P = P 

if <p = 6= (3 y)S 0 (y) 
if <p = 'i = (Vj/)7o(y) 



□ 



The following lemma, which can be proven by structural induction and some 
elementary metalogic manipulations, gives two properties of relevant extracted 
formulae which will be used in the soundness proof of the S* -rule. 

Lemma 2. Let ip be a formula of the language let S = {y\, . . . , y r } be a 
set of variables, and let ip = RelFfip, S). If RelF^ip, S) A, then 

(a) |= ip D ip 

(b) b (3yi) • • • (3 y r )ip D (Vj/i) . . . (Vy r )(ip D ip). 

□ 



3.3 The 6**-Rule 

Let again E = {V, T) be a fixed countable signature and let IF be a collection 
of function symbols, disjoint from T and such that T contains countably many 
function symbols for any arity (constants are considered as function symbols of 
arity 0). 

Then, we can define by recursion an injective map 

h : Cf; x Var — > T , 

where E = (V, T U Range(/i)), such that arity (h VtX ) = | Free(ip) \ {x}|, for all tp 
in C £ and x in Var A 

Now we have everything at hand to give the formal definition of our <5* -rule. 

4 We will use the notation h VtX to denote the function symbol h{ip,x). Also, for con- 
venience, we will write just h v in place of h VtXo ■ 




A Further and Effective Liberalization of the S - Rule 



117 



Definition 4. Let 6 be a 6-formula in the signature E not involving any free 
variable in Var~ , let p i = Key(6o(x),x), and let a £ SubstKey(6o(x ) , x) , where 
x is the quantified variable of 6. Also, let p 2 = RelF(p\,{xo}), and let S V2 = 
Free(p 2 ) \ {xq}. Then the 6* -rule can be schematically described as follows: 



5 6 

$o(K 2 (3‘p 2 ) a ) 

ifp 2 ^A. if <p 2 = A. 



(4) 

□ 



Example 5. Application of the (5* -rule to the formula ( 3x)(p(x , y) A r(z)) yields 
p(f\ (y), y) A r(z). According to the notation in the above definition, we have 

6 = (3x)(p(x,y) A r(z)) 

6 0 (x) = p(x, y) A r(z) 

Pi = Key(6 0 (x),x) = p(x 0 , Xi) A r(x 2 ) 
o’ = {xi/y, x 2 /^} 

Pi = RelF(p i, {x 0 }) = p(x o, xi) 

S V2 = Free(p 2 ) \ {x 0 } = {xi} (hence S V2 a = {y}) 
h<P2 = /i • 



□ 

By using the above <5* -rule in tableau proofs of formulae of the language 
only a sub-signature of E is actually needed. This can recursively be defined as 
follows. Let Eq = E and 1F 0 = T and put for each i > 1 

Ti = {h v : p = RelF(Key(6o(x), x), {xo}), for some (5-formula 6 in the 

language with quantified variable x} \ (J* =0 

Si = (V, U- =0 ^) ’ 

Then the sub-signature of E we are interested in is 

£<x> = cp,ur=o^)- ( 5 ) 

If for any sentence p in the language C + , we denote by k v the maximal 
nesting depth of positive occurrences of existential quantifiers and of negative 
occurrences of universal quantifiers in p, then it can be seen that any (5* -tableau 
proof of p can be carried out in the signature E^ ■ 

It is useful to introduce the following notion of rank of a formula if in the 
language by putting: 

rank (if) =Def min{fc £ N : ip is in the language } . 




118 



Domenico Cantone and Marianna Nicolosi Asmundo 



3.4 Naturalness of the -Rule 

All (5-formulae sharing the same basic structure are assigned the same Skolem 
function symbol by the 6* -rule. This leads to a more natural way of reason- 
ing (compared to previous versions of (5-rules), as one is able, in a very simple 
syntactic manner, to abstract from irrelevant parts and terms of formulae. 

What we obtain is a natural way to perform Skolemization by keeping oneself 
closer to the general concept of function. The following example makes our point 
clearer. 

Example 6. Let us assume that we have the following formula: 

iyx){3y)[x -y = e), 

which asserts the existence of an inverse for any element w.r.t. the operation 
and relative to the (identity) element e. If we have to expand this formula 
in a tableau system with the (5* -rule, first we have to instantiate the universal 
formula obtaining: 

t (3y)(x 1 • y = e). 

Then, an application of the 5* -rule yields: 

x\ • i(x i, e) = e. 

Now let us assume that we encounter also the formula 

(\/x)(3y)((a ■ x) ■ y = e), 

where a is a parameter. Then, after applying to it the y-rule and the (5* -rule, 
we obtain 

(a • aq) • i((a ■ Xi), e ) = e. 

Notice that by reusing the same Skolem symbol i, we were able to abstract from 
the terms in the formula. □ 



4 Completeness and Soundness of the <5** -Rule 

Since the 5* -rule is a liberalization of the (5-rule, it follows that completeness is 
trivially preserved and does not have to be proven. 

The soundness proof can be conducted in the standard way, by showing that 
the satisfiability of a tableau is preserved during the application of tableaux 
expansion rules. 

Tableau proofs are for statements of a first-order language over a signature 
E, but they are carried out in the extended signature E^ (cf. (5)). 

Given a tableau T for a sentence in a first-order language a branch 9 of 
T is said to be satisfied by a structure M over and we write M \= 9, if 

M |= X, for each formula X occurring in 9. A tableau T is said to be satisfied 
by M if at least one of its branches is satisfied by M, in which case we write 
M j= T. A tableau (resp. a branch) is said to be satisfiable if it is satisfied by 
some structure. 

Next we show how to extend a structure A i = ( T > , I), over an initial signature 
E = (V. T), into a structure .Moo, over the limit signature E^ = {V. Uj=o ^j)- 
We define recursively a sequence {AhjieN of structures Mi = (V,li), for each 
signature Ei, where Eq = E , Mo = M, and To = X, as follows. Let h v G T n +\ , 




A Further and Effective Liberalization of the S - Rule 



119 



where ip = RelF (Key (<5o(x ) , x ), {xo}), for some (5-formula S in the language , 
with quantified variable x, and let k = arity (hip). For any fc-tuple b £ V k we 
define h v ( b) in the following way: 

V \ 

(a) if (M n , A) \= (3xo)ip, for some assignment A s.t. S v = b, then we put 

h% n+l {h) =Def c , (6) 

for some c£V such that (M n , A[x o <— c]) |= ip, 

(b) otherwise we put 

h T v n+1 { b) =Def d , 

for an arbitrary d £ T>. 

Finally, we define M oo = where 1oo\vuf = X 0 \vur, and Too\f n = 

I n \f , for any n > 1. 

By reasoning as in the cases of other variants of free- variable tableau systems, 
it can be proven that satisfiability of tableaux for sentences in the initial signature 
£ is preserved by applications of propositional tableau rules and of the 7-rule 
(see for instance [5]). Thus we focus our attention only on the (5* -rule. 

Lemma 3. Satisfiability of tableaux for sentences in the initial signature £ = 
(V,tF) is preserved by applications of the S* -rule. 

Proof. Let T be a satisfiable tableau for a sentence of C + . We show that satis- 
fiability is preserved by applications of the S* -rule. 

Let M! = (T>,X') be a structure satisfying a branch 6 of T, and let d be a 
(5-formula occurring in 9. Let p>\ = Key(6o(x), x) and a £ SubstKey(6o(x), x), 
where x is the quantified variable of 6. Also, let p >2 = RelF(tp 1, {so}) and 2 = 
Free{ip- 2 ) \ {a:o}- Let us put 

, \ d 0 {h^{S^)cr) if <£2 7^ A 

\<5o(x) if <pi = A. 

By applying the (5* -rule to the formula (5, the new branch 9’ = 9; if is produced. 

It is enough to prove that the branch 9' is satisfiable. In fact we will show 
that it is satisfied by the structure Afoo = (R > ,Zoo) constructed over M. = (T>,T), 
where 1 = 

We proceed by induction on the length of 9' . Thus, as inductive hypothesis, 
we may assume that A! 00 \= 9. We show that |= if and to this purpose we 
distinguish the following two cases: 

Case tp 2 7^ A. Let r = rank(S). By inductive hypothesis Afoo |= <5, and since 
X r and Too coincide over the predicate and function symbols of (5 we have 
M r 1= (5. Let A be an arbitrary assignment over the variables of Ce^- Then 
(M r , A) 1 = S and therefore ( M r ,A ) |= (3x)(5o(x). Since p\cj and Sq(x) co- 
incide up to renaming of bound variables, we have ( M r ,A ) |= (3x)(<picr), 
so that (M r , A’) |= (3xo)y>i(xo), where A! = A[x <— (xa) A ] x ^pr ee ( Vl ). But 




120 



Domenico Cantone and Marianna Nicolosi Asmundo 



then, (M r , A”) |= ipi(xo), for some Xo-variant A" of A'. By Lemma 2(a), 
(M r , A") |= <p 2 (xo), so that ( M r ,A ') (= (3xo)<£>2bo)- From the definition 
of hy 2 +1 (cf. (6)), it then follows that (M r + i,A!) \= p> 2 (h V2 (^ V2 )). Since 
(M r , A') \= (3xo)<pi(xo), we have immediately (M r + i, A') b (3x 0 )<^i(x 0 ), 
which, by Lemma 2(b), implies (M r +i, A’) b (Vx 0 )b 2 (xo) D <pi(x 0 )). 
Hence (M r +i, A”) \= <^ 2 bo) D ipi(xo), for every xo-variant A" of A!. In 

particular, by putting A" = A'[x 0 <— hp 2 +1 (l) )\, we have (M r +\, A") b 

<P 2 (xo) D ipi(xo), so that (M r+ 1 , A ) b T2(h^ 2 (§ \fi 2 )) — * ^Pi(h V2 (~§ ip 2 ))- 
Hence (M r +i,A') b Vi(h V2 (§ V2 ))- But then (M r +i,A) b (Vi(h V2 (§ V2 ))) 
(j, which in turn implies (M r +i,A) b So(h V2 (^ ^a). Since T r +i and Too 
coincide over the symbols of So(h V2 (!) V2 )f J ) and A is an arbitrarily chosen 
assignment, we obtain M r + 1 b b an d therefore Moo b b- 

Case ip 2 = A. Let r = rank(S). As above, given an arbitrary assignment A over 
the variables of we have ( M r ,A ) b (3x)5o(x). Since y >2 = A, the 

variable xo does not occur in ip\, and therefore the variable x does not occur 
in <5o(x). Hence, we have immediately that Moo b bibb namely Moo b b> 
since X r and loo coincide over the symbols of <5o(x) and A is an arbitrarily 
chosen assignment. ■ 

The above discussion can be summarized in the following theorem. 

Theorem 1 (Soundness and Completeness). The free-variable tableau sys- 
tem with the 6* -rule is sound and complete. □ 



5 Complexity Issues 

In the present section we discuss the <5* -rule from a proof complexity point 
of view. We observe first that the computation of key formulae and relevant 
extracted formulae is not expensive, as it can be done in linear time. Moreover: 

1. for every unsatisfiable formula ip, a shortest closed (5* -tableau for p> is never 
longer than a shortest closed (5*-tableau for ip-, 

2. adopting the (5* -rule in place of previous variants of the (5-rule can lead to 
reductions in proof length. 

The first point follows by noticing that a linear simulation of a <5*-tableau by a 
5* -tableau is always possible. The second point will be addressed in the following 
subsection. 

5.1 Comparing the -Rule to Other Versions 

The (5* -rule is able to reduce the number of different Skolem functors in the 
proof and the arities of the introduced Skolem terms and, as we stressed before, 
this fact has a favorable impact on proof length. 




A Further and Effective Liberalization of the S- Rule 



121 



Let us consider first the following example which shows that by reducing the 
arities of the introduced Skolem terms (reduction of variable dependencies), it 
is possible to obtain shorter proofs: 

Example 7. Let us suppose we have to prove the unsatisfiability of: 

V = (Vy)((^x)(p(x) A (~>p(y) A r(x)))) . 

Using a tableau system based on any of the previous versions of (5-rule, we would 
obtain the following tableau: 

(Vy)((3x)(p(x) A (~>p(y) A r(x)))) 

(3x)(p(x) A (->p(x 1 ) A r(x))) 

P(f(x 1 )) A (~>p{x{) A r(f(x i))) 

P(f(x 1 )) 

~<p(x i) 
r(f(xi)) 



and another instantiation of the universal formula is needed to close the tableau. 

On the other hand, in a tableau system with the 5* -rule, we get the following 
shorter proof, where closure is obtained by means of the substitution a = {x\/c}\ 

(\/y)((3x)(p(x) A (~>p(y) A r(x)))) 

(3 x)(p(x) A (~>p(xi) A r(x))) 
p(c) A (~>p(x i) A r(c)) 
p(c) 

~<p(x l) 

r(c) 

_L 

Notice that while expanding the (5-formula (3x)(p(x) A (~<p(x i) A r(x))), we 
did not have to consider the free variable x\ in the construction of the relative 
Skolem term, since p(x o) A r(x o) is its relevant extracted key formula (in other 
words, the part ->p(x i) has been recognized as irrelevant). □ 



5.2 Exponential Speedup 

In fact, using the (5* -rule instead of the (5*-rule can lead to exponentially shorter 
proofs. 

Theorem 2. There is a class of formulae {Tn}(n>i) such that, ifb*(n ) (resp. 
b* (n ) ) is the number of branches of the shortest closed tableau for (p n using the 
5* -rule (resp. S* -rule), then the shortest closed tableau for ip n using the 5* -rule 
has 

b*{n) = 0( 2 fc ** (n )) 

branches. 




122 



Domenico Cantone and Marianna Nicolosi Asmundo 



Proof. We recursively define the following class of formulae: 
ipi = false 

<Pn = (Vx)(Vy) (</?„_! V \p n (x,y) A ((Vu)(3 z)(^p n (z, V 

(Vw)(3 z)(-'Pn(z, /(/ M))))]) 

for n > 2. 

The theorem is then proven by showing that 

1. b** (n) = 0{n) (i.e. 6** (n) is linear in n), 

2. fe*(n) = <9(2 n ) (i.e. 6 *(ti) is exponential in n). 

Intuitively, the reason for the different behavior of the (5*- and the (5* -rule 
on the above formula class is that the (5* -rule uses the same Skolem function 
symbol h to Skolemize the two existential formulae in the second part of p n ; 
therefore, a single copy of the literal p n (xi,yi) is sufficient to close the two 
branches that contain these existential formulae, and the closed tableau T* 
for ip n contains only one copy of The (5*-rule, on the other hand, intro- 

duces two different Skolem function symbols h and g. As a result, two instances 
Pn(%i,yi) and p n {x 2 ,y 2 ) have to be generated; this, however, means that the 
closed tableau T* for ip n must contain two copies of T*_ x . 

b* (n) is linear in n. It is easy to see that the tableau T* shown in Figure 1 is 
a smallest closed S* -tableau for ip n . The number b* (n) of branches of T* (n) 
satisfies the recurrence relation 

b* (n) = b* (n — 1) + 2 , for n > 1, 

which implies that b* (n) = 0(n). 

b*{n ) is exponential in n. Similar to the previous case, it is easy to see that the 
tableau T* shown in Figure 2 is a smallest closed (5*-tableau for ip n . The number 
b*(n) of branches of T*{n ) satisfies the following recurrence relation 

b*(n ) = 2b* (n — 1) + 2 , for n > 1, 

which implies that b*(n ) = (9(2 n ). ■ 

Notice that the above proof is based only on one of the two main features 
of the S* -rule, namely the fact that it uses the concept of key formulae for 
assigning Skolem function symbols to (5-formulae. The same result can be proven 
solely on the basis of the second main feature of the S* -rule, which is to ignore 
non-relevant sub- formulae. 

5.3 Non-elementary Speedup 

By applying the (5* -rule, it is also possible to gain a non-elementary speedup 
in proof length over previous versions of the (5-rule, specifically over Baaz and 
Fermiiller’s (5*-rule. 




A Further and Effective Liberalization of the S- Rule 



123 



Substitution to be applied: 
a = {xi/h{f(f{wi))),yi/f(f{wi)),vi/f{wi)} 



( Pn 

I 



¥>n-i V yi) A 

((Vv)(3 z)(->p„(z,f(v))) V (Vw)(3 z)(-ip n (z,f(f(w)))))] 



<Pn- 1 Pn(xi,yi) A 

((Vv)(3 z)(->p„(z, f(v))) V (Vw)(3 z)(-rp n (z, f (/ (w))))) 




Pn{xi,yi) 

(Vv)(3 z){-ip n (z, f(v))) V (Vw)(3 z)(-<p n (z, f (/ (w)))) 



(Vv)(3 z)(-ip„{z, f(v))) (Vw)(3 z)(-ip n (z, /(/( w)))) 



(3«)(-.p„(«,/(i;i))) 



(3z)(^p n (z,f(f(wi)))) 



-'Pn{h{f{vi)) ! f{vi)) ~'Pn{h{f{f{wi))),f{f{wi))) 



Fig. 1 . A minimal (5* -tableau for <p ra that is closed after application of the 
substitution a shown at the top. 



The proof follows exactly the same lines of [1], to which we refer the reader for 
details. Here we only indicate the variant of the “justifying formula” presented 
in [1], which must be used in our case: 

(Vxr) • • • (V®„) (Vy ) [(<?! V C 2 ) D (C, V (3z) [ C 2 {y/z } V (P(y) A (R(z) A nP(j)))])] . 

6 Conclusions and Directions of Future Research 

We have introduced a new version of the (5-rule in free variable semantic tableau. 
The new rule carries mainly two features: 

1. it assigns the same Skolem function symbol to existential formulae which are 
identical up to irrelevant subformulae; 

2. it abstracts from the terms present in an existential formula. 

As we already pointed out, both features, independently, enable a non-elementary 
reduction in proof complexity. Moreover key formulae and extracted key formu- 
lae are not expensive to calculate. 

Global Skolemization has already been implemented in the language SETL. 
As a next step, we plan to implement a semantic tableau system employing 







124 



Domenico Cantone and Marianna Nicolosi Asmundo 



Substitution to be applied: 

a = {xi/h(vi),yi/f(vi),x 2 /g{wi),y 2 /f{f{wi))} 

I 

(fin- 1 V \p n (xi,yi) A 

((Vv)(3 z)(~<p n (z, f(v))) V (Vw)(3 z)(^p„(z, 



1 Pn(xi,yi) A 

((Vv)(3 z)(->p„(z,f(v))) V (Vw)(3 z)(-ip n (z,f(f(w))))) 




Pn(xi,yi) 

(Vv)(3 z)(-ip n (z,f(v))) V (Vw)(3 z)(^p n (z,f(f(w)))) 



(Vv)(3 z)(-ip„(z, f(v))) (Vw)(3 z)(-ip n (z, f(f(w)))) 



{3z)(-ip„(z, 



(3z){-ip n {z,f{f{wi)))) 



-^Pn(h(vi),f(v l)) 



-^Pn(g(wi),f(f(wi))) 



(fin-! V [Pn(X2,1/2)A 

((Vv)(3 z)(-ip n (z,f(v))) V (Vw)(3«)(-.p„(z,/(/(w)))))] 



¥>n-l Pn{X2, yz) A 

((Vv)(3 z)(->p n (z,f(v))) V (Vw)(3 z)(-ip n (z,f(f(w))))) 



Pn(x 2 ,y 2 ) 

((Vv)(3 z)(-ip n (z,f(v))) V (Vw)(3 z)(-ip n (z,f(f(w))))) 




Fig. 2. A minimal (5*-tableau for that is closed after application of the sub- 
stitution cr shown at the top. 







A Further and Effective Liberalization of the S- Rule 



125 



the S* -rule and additional optimizations. We believe that our version of the 
(5-rule offers many advantages over previous versions and a good ratio between 
reduction in proof length and costs of execution. 

What we want to emphasize as the main point of our work is not the fact 
that it is possible at all to gain a non-elementary speedup, but that our rule (in 
particular due to the second feature mentioned above) triggers Skolemization in 
a quite natural way. If a proof introduces functions in a generalizing manner, we 
keep closer to the usual intuition of what the meaning of a function is, i.e. , an 
abstraction that is applicable to different elements. 

Acknowledgments 

The authors thank heartily Wolfgang Ahrendt and Bernhard Beckert for many 
enlightening discussions and suggestions and for their generous support in the 
preparation of a first draft of the paper. 

This work has been partially supported by the C.N.R. of Italy, coordinated 
project SETA, by M.U.R.S.T. Project “Tecniche speciali per la specifica, l’analisi, 
la verifica, la sintesi e la trasformazione di programmi” , and by project “Deduc- 
tion in Set Theory: A Tool for Software Verification” under the 1998 and 1999 
Vigoni Programs. 



References 

1. M. Baaz, C.G. Fermiiller. Non-elementary speedups between different versions of 
tableaux. In 4f h International Workshop , TABLEAUX ’95 LNCS n. 918, 1995. 

2. B. Beckert, R. Hahnle and P. Schmitt. The even more liberalized (5-rule in free 
variable semantic tableaux. In Computational Logic and Proof Theory , Proceedings 
of the 3rd Kurt Godel Colloquium, Brno, August 1993. Springer, LNCS 713, pp. 
108-119. 

3. D. Cantone, M. Nicolosi Asmundo and E. Omodeo. Global Skolemization with 
grouped quantifiers. In Proceedings of APPIA-GULP PRODE’97: Joint Conference 
on Declarative Programming , pp. 405-413, 1997. 

4. M.D. Davis and R. Fechter. A free variable version of the first-order predicate cal- 
culus. Journal of Logic and Computation, 1(14):431-451, 1991. 

5. M. Fitting. First-Order Logic and Automated Theorem Proving. Springer, New York, 
1990. 

6. R. Hahnle and P. Schmitt. The liberalized (5-rule in free variable semantic tableaux. 
Journal of Automated Reasoning, 13(2):211-221, 1994. 

7. R. Smullyan. First-Order Logic. Springer, New York, 1968. 




A New Fast Tableau-Based Decision Procedure 
for an Unquantified Fragment of Set Theory* 



Domenico Cantone 1 and Calogero G. Zarba 2 

1 Universita di Catania, Dipartimento di Matematica 

Viale A. Doria 6, 1-95125 Catania, Italy 
cantoneOcs .unict . it 

2 Stanford University, Computer Science Department, 

Gates Building, Stanford CA 94305, USA 

zarba@theory . stanford.edu 



Abstract. In this paper we present a new fast tableau-based decision 
procedure for the ground set-theoretic fragment Multi-Level Syllogistic 
with Singleton (in short MLSS) which avoids the interleaving of model 
checking steps. 

The underlying tableau calculus is based upon the system KE. 



1 Introduction 

In the last few years many fragments of set theory have been proved decidable 
[6,5]. However, the problem of finding efficient decision procedures for these 
fragments still remains largely unexplored. 

In this paper we present a new fast tableau-based decision procedure for the 
ground set-theoretic fragment Multi-Level Syllogistic with Singleton (in short 
MLSS). 

Tableaux have the appealing feature that it is easy to extract a counter- 
example from an open and saturated branch, but on the other hand they can 
be highly inefficient if the splitting rules are not designed properly, at least 
for certain classes of formulae. We address this anomaly by presenting a tableau 
calculus based on the system KE introduced in [7] which forces tableau branches 
to be mutually exclusive. This results in an exponential speed-up with respect 
to Smullyan tableau-based calculi. 1 

In addition, in the procedure we are going to describe useful cuts are recog- 
nized in constant time, without the interleaving model-checking steps approach 
used in [1,4,9]. Moreover, useless cuts that might be executed by an exhaustive 
search strategy are totally avoided. This will have the overall effect to consider- 
ably speed up the saturation process with respect to the previous approaches. 

* Work partially supported by the C.N.R. of Italy, coordinated project SETA, by 
M.U.R.S.T. Project “Tecniche speciali per la specifica, l’analisi, la verifica, la sintesi 
e la trasformazione di programmi”, and by project “Deduction in Set Theory: A 
Tool for Software Verification” under the 1998 Vigoni Program. 

1 See [7] for further details about the cited speed-up. 



R. Caferra and G. Salzer (Eds.): Automated Deduction, LNAI 1761, pp. 126—136, 2000. 
(c) Springer- Verlag Berlin Heidelberg 2000 




A New Fast Tableau-Based Decision Procedure 



127 



Our decision procedure has been implemented as part of the Stanford Tempo- 
ral Prover, STeP [2] , a system which supports the computer-aided verification of 
reactive, real time and hybrid systems based on temporal specification. The inte- 
gration of our decision procedure with STeP First-Order Reasoning and STeP’s 
other decision procedures is done using the method described in [3]. 

The paper is organized as follows. In Section 2 we introduce some preliminary 
concepts which will be useful in what follows. In Section 3 we present a decidable 
tableau calculus for MLSS, whose proof of correctness is given in Section 4. 
Finally, after giving in Section 5 some experimental results, in Section 6 we hint 
at some directions of future research. 



2 Preliminaries 

In this section we introduce the syntax and semantics of MLSS, as well as the 
concept of realization. 



2.1 Syntax 

The unquantified set-theoretic fragment MLSS contains 

— a denumerable infinity of variables, 

— the constant 0 (empty set), 

— the operator symbols U (union), n (intersection), — (set difference) and [•] 
(singleton), 

— the predicate symbols E (membership) and « (equality), and 

— the logical connectives ->, A and V. 2 

Plainly, the predicate E and the finite enumeration operator can 

be expressed in MLSS by noticing that s E t is equivalent to s U t ss t and that 
[ti, t 2 , ..., tk] can be expressed by [ti] U . . . U [£*,]. 

We denote by T v the collection of all terms occurring in the formula Lp, and 
we use the abbreviations s ^ t and s ^ t to denote ~>(s E t) and ~>(s « t), 
respectively . 



2.2 Semantics 

The semantics of MLSS is based upon the von Neumann standard cumulative 
hierarchy V of sets defined by: 

V o = 0 

V Q +i = V(V a ) , for each ordinal a 
Va = U m <a > f° r eac h limit ordinal A 

V — U aGOn Va i 

2 In our treatment, —rip is considered to be a syntactic variation of p. 




128 Domenico Cantone and Calogero G. Zarba 



where V(S) is the power set of S and On denotes the class of all ordinals. It can 
easily be seen that there can be no membership cycle in V, namely sets in V are 
well-founded with respect to membership. 

An ASSIGNMENT M over a collection V of variables is any function M : V —> 
V. Given an assignment M over the variables of a formula tp, we denote with Mip 
the truth-value obtained by interpreting each variable v in p with the set Mv 
and the set symbols and logical connectives according to their standard meaning 
(thus, for instance, U, n, — , [•], E, and « are interpreted as the set operators 
U, n, \, {•}, and as the set predicates € and =, respectively). 

A set model for a formula p is an assignment M over the collection of 
variables occurring in ip such that Mip evaluates to true. 

A formula tp is SATISFIABLE if it has a set model. 



2.3 Realizations 

Let G = ( N , E) be a directed acyclic graph, and let (P, T) be a bipartition of 
N. Also, let {u x : x £ P} be a family of sets. 

Definition 1. The REALIZATION of G — (AT, e) relative to {u x : x £ P} and to 
(P, T) is the assignment R over N recursively defined by: 

Rx = {ig,} , for x in P 

Rt = {Rs : s E t} , for t in T. 

Observe that R is well-defined since G is acyclic. 

Next we define the function h : N — * N (called the height), by putting: 



hft) 



0 if t £ P or s ^ t, for all s £ N 

max{ /i(s) : s E t} + 1 otherwise. 



The following lemma states the main properties of realizations. 



Lemma 1. Let G = (P U T, E) be a directed acyclic graph, with P fl T = 0. 
Also, let {u x : x £ P} and R be respectively a family of sets and the realization 
of G relative to {u x : x £ P} and ( P,T ). Assume that: 

(a) u x ^ u y for all distinct x, y in P; 

(b) u x ^ Rt, for all x in P and t in PA T. 3 

Then the following properties hold: 

(i) if s El t then hfs ) < hft), for all s in PAT and t in T; 

(ii) if Rt i = Rt 2 then h{t\) = h(t 2 ), for all t\,t 2 in P U T; 

(iii) if Rs £ Rt then h(s ) < hft), for all s,t in PAT. 

3 Notice that conditions (a) and (b) can always be satisfied by letting the u x ’s be 
pairwise distinct sets of cardinality no less than |PUT|, since \Rt\ < |PUT|. 




A New Fast Tableau-Based Decision Procedure 



129 



Proof, (i) is immediate. 

(ii) If either t\ or t 2 is in P, the claim is ensured by conditions (a) and (b). On 

the other hand, if ti,t 2 € T, we proceed by induction on max{/i(ii), h(t 2 )}. 
The base case (max{h(ti),h(t 2 )} = 0 ) is trivial. For the inductive step, 
suppose Rt\ = Rt 2 and, without lost of generality, that h(t±) > 0 . Then 

there exists s such that s E t and h{t\) = h(s) + 1. Since s E t\, it 

follows that Rs £ Rt\ and therefore Rs £ Rt 2 . Moreover, there exists s' 
such that Rs' = Rs and s' E t 2 . By inductive hypothesis h(s) = h(s'). 
Finally, h(t 2 ) > h(s') + 1 = h(s) + 1 = h{t\). Exchanging the roles of t\ and 
t 2 it is also possible to deduce h(t 2 ) < h{t\). Thus h{t\) = h{t 2 ). 

(iii) If Rs £ Rt then there exists some s' such that Rs' = Rs and s' E t. For 

(i) h(s') < h{t) and for (ii) h(s) = h(s'). Thus h(s) < h(f). □ 

3 The Tableau Calculus 

In this section we describe a tableau calculus for MLSS. See [8] for a complete 
introduction to semantic tableaux. 

We extend the notion of closed tableau as follows: 

Definition 2. A branch 6 of a tableau T is closed if it contains: 

— two complementary formulae xf, -iif, or 

— a membership cycle of the form to E ii E ... E to, or 

— a literal of the form t 'fit, or 

— a literal of the form s E 0. 

A tableau is CLOSED if all its branches are closed. 



3.1 Saturation Rules 

Our calculus has two kinds of rules: saturation and fidfilling rules. Moreover, we 
impose the restriction that no new term will be created by any application of a 
saturation rule. Thus, for instance, the rule 

S E fi =>• s E ti U t 2 

can be applied to a branch 9 of a tableau for tp only if the term t\ U t 2 is already 
in T,p. Under this fundamental restriction, the full collection of saturation rules is 
shown in Table 1. Notice also that in the first two rules for equality, £ stands for 
a literal, and the substituted term is restricted to be a top-level term occurring 
in i. This will prevent the search space from exploding. 

A branch is said to be LINEARLY SATURATED if no saturation rule produces 
new formulae. 




130 Domenico Cantone and Calogero G. Zarba 




3.2 Fulfilling Rules 

A fulfilling rule can be applied to an open linearly saturated branch, provided 
that its associated precondition and subsumption requirement are, respectively, 
true and false. Table 2 summarizes the fulfilling rules and their associated pre- 
conditions and subsumption requirements. Notice that even fulfilling rules (that, 
incidentally, in our calculus are exactly the splitting rules) are not allowed to 
introduce new terms, with the exception of the last one, which introduces fresh 
parameters x not occurring in the branch to which it is applied. 

Remark 1. Notice that literals of type s ^ t\ n f 2 and s ^ t\ — 12 do not trigger 
any split rule, as would happen in an exhaustive search strategy. 

Notice also the asymmetry in the precondition for FI: no split needs to occur 
if for some term t\ n t 2 in T v a literal s E <2 occurs in a branch. 

In early versions of this work all sorts of cut rules were allowed, whereas a 
careful analysis of the correctness proof has pointed out that most of them can 
be avoided. 



Remark 2. Observe that if the literals Si « S2, t\ « t2, si 76 ti, Si 76 f 2 , S2 76 ti, 
S2 76 f 2 occur in a branch, an exhaustive search strategy would apply a splitting 
rule to each inequality, thereby generating 2 4 branches, whereas in our calculus 
at most 2 branches will eventually be created. 




A New Fast Tableau-Based Decision Procedure 



131 



fulfilling rule 


precondition 


subsumption requirement 


P\~<P 


p V q is in 9 


p is in 9 or ->p is in 9 


-'pIp 


-i (p A q) is in 6 


-i p is in 9 or p is in 9 


sEfi 


s (£ tl 


ti U t 2 £ T v 
s E ti U t2 is in 9 


s E ti is in 9 or s ti is in 9 


sEfe 


s £ t 2 


ti n t 2 £ T v 

s E ti is in 9 


s E t.2 is in 9 or s ^ t2 is in 9 


sEtz 


S^t2 


ti — t2 G Ty, 
s E ti is in 6 


s E t2 is in 9 or s g: t2 is in 9 


x E ti 
X t2 


x eE ti 
X E t-2 


ti,t2 £ T v 
ti 56 t2 is in 9 


3 x : (x E 1 1 is in 9 and x ^ 1 2 is in 9 ) 
or 

3 x : (x 7: ti is in 9 and x E £2 is in 9 ) 



Table 2. Fulfilling rules. 



Remark 3 . It is possible to further strengthen the subsumption requirement as- 
sociated to the last fulfilling rule by noticing that if a literal t 76 0 occurs in a 
branch 0, then it is enough to require that iE i occurs in 9 for some x, thus 
obtaining the linear fulfilling rule 

t 76 0 =>• x E t (x new parameter) 

This improvement will be used in Example 1. 

More generally, one can maintain a transitivity graph [3] whose nodes are 
labeled with terms in Pg U T v and edges are labeled with E, 56 or 7 !. Then, if a 
literal t\ 76 t-2 occurs in a branch 9 , we may check whether there exists a path 
from t\ to f 2 (or from to ti) with edges labeled with E, and the fulfilling rule 
would then be: 



1 1 76 ^2, ti E t2 =>• x E <2 5 x 7: t\ (x new parameter) . 

We should also notice that if the literals t\ 76 ^2, ti E • • • E £2 occur in a 
branch 0, we do not need to apply any fulfilling rule at all. Soundness of such 
optimizations is an easy matter. 



Example 1 . Table 1 contains a closed tableau with 3 branches for proving the 
validity of the formula ->(x ~ [y\ A x « y U z) V (y « 0 A x ~ z). 

We denote with ipi the formula labeling node i, and provide justifications for 
the construction of the tableau. 

— <P2, ¥>3, Pa, P5 an d P7 are obtained by means of propositional rules; 

— (pe and ip 17 are obtained by means of the second fulfilling rule; 

— ips, 7)9, <£13 and ip\\ are obtained by means of the last fulfilling rule; 




132 Domenico Cantone and Calogero G. Zarba 



1. -’(-'(a; ss 


[y] A * « y U 2 ) 


v (y 


« 0 A * « 2 )) 


2. 


xk, [y] A * ft 


■ yUz 


3. 


-i( y 




) 


4. 


x « [y\ 






5. 


x « y U 2 




1 

6. y 


«0 


17. 


y ^ 0 


7 . x 




18. 


w E y 


1 1 


1 


19. 


w E y U 2 


8. wEi 


13. w x 


20. 


w E x 


9. z 


14. w E z 


21. 


w E [y] 


10. w E y U 2 


15. w E y U 2 


22. 


wK,y 


11. w E y 


16. w E x 


23. 


V E y 


12. t»E0 






± 


_L 









Fig. 1. A closed tableau for ^(-n(x « [y] A x « y U z) V (y « 0 A x « z)) 



— ip io, <^12, <Pi 6 , T20, P21 and <£23 are obtained by means of equality rules; 

— <p 11, <p\5 and <£19 are obtained by means of rules for U; 

— the optimization promised in Remark 3 is used to deduce tpi&] 

— P22 is obtained by means of a rule for [•] . 

The tableau is closed since the leftmost branch contains the contradiction ip\2 , 
the central branch contains two complementary literals pis, Pie, and the right- 
most branch contains a membership cycle (<^23). 

Finally, notice that to prove the same formula, the approach described in [4] 
produced a tableau with 8 branches 

4 The Decision Procedure 

In this section, after introducing some definition and terminology, we state our 
decision procedure and prove its correctness. 

Definition 3. To any branch 9 of a tableau T for a formula ip we associate the 
following objects: 

Pg: the collection of parameters added to 9 ; 

Vg: the collection of variables and parameters occurring in 9 ; 

Pg: the collection of parameters {x £ Pg : there is no t in T v such that x « 
t occurs in 9 }; 

Tg-. the set T v U (Pg \ Pg); 

Gg : the oriented graph (Pg U Tg, E), where s E t if and only if the literal sE( 



occurs m 





A New Fast Tableau-Based Decision Procedure 



133 



Rg\ a realization of Gg relative to the partition ( Pg,Tg ) and to pairwise distinct 
sets u x , for x G Pg, each having cardinality no less than \P' e U T' e \; 

Mg\ the assignment over Vg defined by Mgv = Rgv, for each v inVg. 

Definition 4. An open branch 9 is SATURATED if it is linearly saturated and 

all its subsumption requirements are fidfilled. 

Definition 5. A branch 9 is said to be coherent if Rgt = Mgt, for all t in 

PgUTp. 

Procedure 1 (MLSS-Satisfiability Test). 

Input: an MLSS-formula p. 

1. Let T be the tableau consisting of a single node labeled with p\ 

2. linearly saturate T by strictly applying to it all possible saturation rules 
until either T is closed or no new formula can be produced; 

3. if T is closed, announce that p is unsatisfiable; 

4. otherwise, if there exists an open and saturated branch 9 in T, announce 
that p is satisfied by the model Mg ; 

5. otherwise, let 9 be a non-saturated open branch; apply to 9 any fulfilling 
rule whose subsumption requirement is false and go to step 2. 



4.1 Termination 

We begin to prove total correctness of Procedure 1 by first showing termination, 
and leave the proof of partial correctness for the next subsection. 

Theorem 1. Procedure 1 always terminate. 

Proof. Let p be the root formula of the tableau limit T constructed by Proce- 
dure 1. Since steps 3 and 4 cause the procedure to terminate, and step 5 always 
add new formulae, to show termination it is enough to prove that T must be 
finite. Now, let 9 be any branch in T. Because of the restriction imposed to 
the application of the rules, \Tg\ is bounded by \T V \ 2 , and therefore T v U Tg is 
finite. It follows that the number of literals occurring in 9 is finite, as well as the 
number of formulae involving propositional connectives. Having shown that any 
branch in T is finite, in view of the Konig Lemma even T is finite. □ 

4.2 Partial Correctness 

Let again p be the root formula of the tableau T constructed by Procedure 1. 
Since all rules are plainly sound, if T is closed then p is unsatisfiable. Otherwise 
the tableau T must contain an open and saturated branch 9. Thus, in order to 
establish the correctness of Procedure 1, it is enough to prove that the assignment 
Mg (cf. Definition 3) satisfies the branch 9 and, therefore, the formula p. 

The following lemma is easily proved by induction on the number of appli- 
cations of the inferences rules. 




134 Domenico Cantone and Calogero G. Zarba 



Lemma 2. In any branch 9 if x £ Pg then: 

(a) there can be no term t in T V U Pg different from x such that x ~t occurs in 

0 ; 

(b) there can be no term s in T V U Pg such that s Ex occurs in 9. 

In order to show that the assignment Mg models correctly all formulae occur- 
ring in an open and saturated branch 9 , we first show in the following lemma that 
the realization Rg models correctly all literals in an open and saturated branch 
9 , provided that terms are just considered as “complex names” for variables 
(namely operators are not interpreted). 

Lemma 3. Let 9 be an open and saturated branch. Then: 

(i) if s El t occurs in 9, then Rgs £ Rgt; 

(ii) ifti « t ‘2 occurs in 9, then Rgt\ = Rgt 2 ; 

(iii) if t\ 96 f 2 occurs in 9, then Rgt\ ^ Rgff; 

(iv) if s 0 t occurs in 9, then Rgs Rgt. 

Proof, (i) Let s E t be in 9. By Lemma 2, t ^ Pg, and by construction of Rg it 
trivially follows that Rgs £ Rgt. 

(ii) Let t\ « t 2 be in 9. If either t\ £ Pg or £2 £ Pg then by Lemma 2 it must be 
t\ = f 2 and therefore Rgt\ = Rgt 2 - If t\,t 2 G T'g but Rgt\ ^ R g t 2 , suppose 
w.l.o.g. that there is some a such that a £ Rgt\ and a ^ Rgt 2 - Then there 
exists s such that Rgs = a and sEli occurs in 9. Since 9 is saturated, s E £2 
must also occur in 9, and by (i) a = Rgs £ Rgt 2 , a contradiction. 

(iii) Let t\ 76 t 2 be in 9 but Rgt\ = Rgt 2 - W.l.o.g. we can assume that t\, t 2 £ T v 
(otherwise either at least one among fi,<2 is in Pg, and the claim easily 
follows from Lemma 2, or 9 would contain a literal t\ 96 t' 2 with t\ ,t' 2 £ T v 
and such that t\ « t\ and £2 ~ t 2 are in 9\ then t\ 96 t 2 could play the role 
of t\ 76 t 2 in the following discussion). By Lemma 1 we have h(t\) = ^(<2)- 
We proceed by induction on h{t\). In the base case {h{t\) = 0) we reach a 
contradiction, since by saturation there is some x such that either x E t\ 
and x ^ t 2 occur in 9, or x ^ t\ and x E £2 occur in 9, and we would have 
h(t±) > 0 in either cases. For the inductive step, w.l.o.g. let x E t\ and x ^ £2 
be in 9 (their occurrence is due to saturation), for some x. Then Rgx £ Rgt\ 
that implies Rgx £ Rgt 2 , so that there exists x' such that Rgx = Rgx' and 
x' E t 2 occurs in 9. Notice that x' ^ x (otherwise 9 would be closed). Since 
by Lemma 1 we have hfx) = h.(x') < hfti), we can apply the inductive 
hypothesis and obtain the contradiction Rgx ^ Rgx' . 

(iv) Let s g! t be in 9 but Rgs £ Rgt. Then there exists s' different from s such 

that Rgs = Rgs' and s' E t occurs in 9. By saturation s 76 s’ is in 9, and by 
(iii) Rgs Rgs' , a contradiction. □ 

Next we show that even operators are correctly modeled by Rg (and therefore 
by Mg), for an open and saturated branch 9. 

Lemma 4. If a branch 9 is open and saturated, then it is coherent. 




A New Fast Tableau-Based Decision Procedure 



135 



Proof. Let 9 be an open and saturated branch. We prove that Ret = Mgt, for 
each t in Pg U T v , by structural induction on t. The base case is trivial for 
variables. Concerning 0, notice that trivially Mg0 = 0 and that Rg0 = 0 since 
8 is open. For the inductive step we prove only that Rg{t\ FI t 2 ) = Mg{t\ n t 2 ) 
(other cases are similar). Suppose that a G Rg{t\ nt 2 ). Then there exists s such 
that Rgs = a and s E t\ nt 2 occurs in 9, and since 9 is saturated both s E t\ and 
sE ( 2 occur in 9. By Lemma 3 Rgs € Rgt\ and Rgs G Rgt 2 , and by inductive 
hypothesis a G Mgt\ H Mgt 2 = Mg(t\ n £ 2 ). Conversely, if a € Mg(t\ n t 2 ) 
then a G Mgt\ D Mgt 2 , and by inductive hypothesis a G Rgt\ fl Rgt 2 . After 
noticing that, because of the restrictions imposed to the application of the rules, 
it must be the case that t\,t 2 G T v , it follows that there exist s', s" such that 
Rs' = Rs" = a and both s' E t\ and s" E t 2 occur in 9. By saturation, either 
s' E t 2 or s' t 2 occurs in 9. In the former case s' E t\ n t 2 occurs in 9 , and 
therefore a G Rg{t\ I~1 1 2 ). In the latter case s' 76 s" occurs in 9, and therefore 
Rgs' ^ Res", a contradiction. □ 

The following theorem concludes the proof of partial correctness. 

Theorem 2. If 9 is an open and saturated branch, then it is satisfiable, and 
indeed it is satisfied by Mg . 

Proof. Let 8 be an open and saturated branch. By combining together Lemma 3 
and 4, it follows that Mg satisfies all literals occurring in 9. Finally, proceeding 
by structural induction, it easy to see that even formulae involving propositional 
connectives are satisfied by Mg. □ 

5 Some Experimental Results 

On a 200 Mhz ULTRA-Spark Sun workstation, the formulae ~>(x ~ [y\ A x ~ 
j/Uz)V(j/« 0 A x « z) (cf. Example 1) and a U (b U c) « (a U b) U c were 
proved valid in 0.03 seconds and 0.02 seconds, respectively, whereas the formula 
-’(2: E y A x Zi A Zi U z 2 E [y]) was recognized not to be valid in 0.04 seconds. 

Moreover, using the basic notion of pair (a, b ) =Def { { a.} , {a, 6}} due to Kura- 
towski, it has been possible to prove the validity of (a, b) ^ ( 11 , b)\/(a= uAb= v ) 
in 0.08 seconds. Similar theorems have also been proved for 3-tuples, 4-tuples 
and 5-tuples in 0.24, 0.58 and 1.79, respectively. 



6 Future Plans 

We plan to further investigate heuristics which allow to strengthen subsumption 
requirements, as hinted in Remark 3. 

Also, we intend to study thoroughly the cases in which cuts are really needed, 
in order to further optimize our calculus. 

Finally, we plan to generalize our tableau calculus and relative saturation 
strategy to extensions of MLSS (cf. [6,5]). 




136 Domenico Cantone and Calogero G. Zarba 



Acknowledgments 

The authors wish to thank Bernhard Beckert, Nikolaj S. Bj0rner, and Tomas 
E. Uribe for helpful comments. The second author wishes to thank Prof. Zohar 
Manna for having given him the opportunity to visit his REACT group. 



References 

L Bernhard Beckert and Ulrike Hartmer. A tableau calculus for quantifier- free set 
theoretic formulae. In Proceedings, International Conference on Theorem Proving 
with Analytic Tableaux and Related Methods, Oisterwijk, The Netherlands, LNCS 
1397, pages 93-107. Springer, 1998. 

2. Nikolaj S. Bjprner, Anca Browne, Eddie S. Chang, Michael Colon, Arjun Kapur, 
Zohar Manna, Henny B. Sipma, and Tomas E. Uribe. STeP: Deductive-algorithmic 
verification of reactive and real-time systems. In Proc. 8 th Inti. Conference on Com- 
puter Aided Verification, volume 1102 of LNCS, pages 415-418. Springer- Verlag, 
July 1996. 

3. Nikolaj S. Bjprner, Mark E. Stickel, and Tomas E. Uribe. A practical integration of 
first-order reasoning and decision procedures. In Proc. of the 14 th Inti. Conference 
on Automated Deduction, volume 1249 of LNCS, pages 101 115. Springer- Verlag, 
July 1997. 

4. Domenico Cantone. A fast saturation strategy for set-theoretic Tableaux. In Didier 
Galmiche, editor, Proceedings of the International Conference on Automated Rea- 
soning with Analytic Tableaux and Related Methods, volume 1227 of LNAI, pages 
122-137, Berlin, Mayl3-16 1997. Springer. 

5. Domenico Cantone and Alfredo Ferro. Techniques of computable set theory with 
applications to proof verification. Comm. Pure Appl. Math., XLVIII:l-45, 1995. 

6. Domenico Cantone, Alfredo Ferro, and Eugenio Omodeo. Computable set theory, 
volume no. 6 Oxford Science Publications of International Series of Monographs on 
Computer Science. Clarendon Press, 1989. 

7. Marcello D’Agostino and Marco Mondadori. The taming of the cut. Classical refu- 
tations with analytic cut. Journal of Logic and Computation, 4(3):285-319, June 
1994. 

8. Melvin C. Fitting. First-Order Logic and Automated Theorem Proving. Graduate 
Texts in Computer Science. Springer- Verlag, Berlin, 2nd edition, 1996. 1st ed., 1990. 

9. Calogero G. Zarba. Dimostrazione automatica di formule inisiemistiche con tagli 
analitici. Tesi di Laurea, Universita di Catania (in Italian), July 1998. 




Interpretation of a Mizar-Like Logic in First 

Order Logic 



Ingo Dahn* 

University of Koblenz-Landau 
Department of Computer Science 
Rheinau 1, D-56075 Koblenz 
dahn@uni-koblenz . de 



1 Introduction 

Automated theorem provers for first order logic have reached a state where 
they can give useful support for interactive theorem proving. However, most real 
world problems handled in interactive theorem proving are formulated in a typed 
language. First order provers have currently rather limited capabilities to handle 
types. Therefore type information has to be encoded in an efficient way. What 
is most efficient, depends on the type system as well as on the first order prover 
at hand. 

In this paper we describe a general purpose interpretation of a large fragment 
of the typed logic used in the Mizar Mathematical Library [Rud92,Try93] 
into untyped first order logic. This poses also new challenging problems for 
first order automated provers (see [DahWer97]). A general definition of an in- 
terpretation based on concepts from abstract model theory sets the theoretical 
framework. 

2 Semantic Foundations 

Libraries of theorems are basically collections of sentences that are assumed to 
be true in a given class of models. In this abstract setting, automated theorem 
provers provide a potential library - the library of all formulas they can prove. 
The correctness proof for the calculus underlying a specific prover provides evi- 
dence that all formulas in this potential library are true in the class of all their 
models. 

The semantics of the formulas is fixed. Hence it can serve as a basis for 
the consistent combination of knowledge from various sources. Abstract model 
theory has provided a theoretical framework to study semantic interrelations 
between several deductive systems. Therefore, we give slight generalizations of 
its most basic definitions from [Ba74], 

Abstract model theory has abstracted from the syntax of a particular lan- 
guage. The only essential property of a logic in this setting is to determine 

* Supported by the Deutsche Forschungsgemeinschaft 



R. Caferra and G. Salzer (Eds.): Automated Deduction, LNAI 1761, pp. 137—151, 2000. 
(c) Springer- Verlag Berlin Heidelberg 2000 




138 Ingo Dahn 



whether a particular formula is valid in a particular model. At this stage we do 
not care about how the logic determines validity in detail. We only want to be a 
little more specific on formulas and models. These are connected by the concept 
of a signature. Again, there is currently no need to define what a signature is. 
We simply note that each logic C accepts a specific set Sc of signatures. For 
example, some logics may require all signatures to include special symbols like 
= or £. For each signature a £ Sc, the logic fixes a class of models Mod £, a set 
of formulas and a relation |= ((which determines whether a formula H £ 
holds in a model M £ Mod„ ( M |=£ H). 

Then, an C- theory of signature a is simply a subset of <?((. This is sufficient to 
define the concepts of models and semantic consequence for each such abstract 
logic C. 

Definition 1. For each C-theory T of signature o the class of all £-models of 
T is the class Mod £ (T) of all M in Mod such that M )=(( H for all H £T. 

This induces the consequence relation, denoted also by |=((: 

Definition 2. A formida A £ is a consequence of a theory T C (T |= ^ 
A) if and only if M |= £ A for each model M from Mod % (T). 

3 Interpretations 

In order to use theorems proved by one system (the source system) to enhance 
the knowledge of another system (the target system), the logic of the second 
system must be interpreted in the logic of the first system. From the point of 
view of system architecture this is a mediation service [WiGe97] . 

For our intended application we think of the source system as an automated 
prover with logic S , while the target system is a library of formulas from a logic 
T. However, the same considerations can be applied in order to combine the 
libraries of two interactive theorem provers as well. 

We have to interpret proof problems from T as proof problems in S that 
can be solved by the source system. Our interpretation has to ensure that the 
consequences proved by the source system are valid consequences in the target 
logic. In order to be useful, it is not necessary that the source is able to handle all 
knowledge that the target system can handle - some interesting subset suffices 
and there can be required some translation procedure v between the formulas of 
the source logic and that of the target logic. Also, the models of the two logics can 
be quite different (for example, think of an interpretation of a geometric model 
like a plane as an arithmetic model consisting of pairs of Cartesian coordinates) . 
This interpretation /i of the models requires some translation i of between their 
signatures. 

The following definition provides the concept of interpretation with an exact 
meaning. 

Definition 3. An interpretation I of a logic T in a logic S consists of a set 
S 1 C Sr of signatures, for each o £ S 1 an S-theory and three mappings: 




Interpretation of a Mizar-Like Logic in First Order Logic 



139 



— l maps a set of signatures E 1 into E$, 

— p maps Mod ^ into Modf^ (<9j, ct ) for each a £ E 1 , 

— v maps for each a £ E 1 a subset of into 

such that for all a £ E 1 , for each sentence H in the domain of v and for each 
model M from Mod ^ 

M KT H if and only if p (M) |=f ((T ) !/ (H) . 

The second of these conditions requires that the models in the range of /i 
satisfy some set of conditions Oi.„ which can be stated in the source logic. 

Example 1. Let the source logic S be equational logic and let the target logic T 
be full first order logic. We obtain an interpretation I by taking Ei as the set 
of signatures containing equality, l as the operation, that deletes all predicates 
except equality, p as the giving the reduct of a model to its equational part, <9/,<r 
as the empty theory and v as the identity on equational first order sentences. 

Example 2. Take 2-sorted first order logic as source logic S , full monadic second 
order logic as target logic T and E 1 = Er as the set of all signatures, i extends 
each first order signature by a second sort set, p extends each first order model 
by adding the powerset of its universe as a second sort and the set theoretic £ 
as a new relation between elements of the universe and elements of sort set, i. e. 
subsets of the universe. These 2-sorted models will satisfy a number of 2-sorted 
first order conditions that can be put into the theory <9/. CT , for example the axiom 
of extensionality or the collection schema 

3X : set \/y (y £ X H (y)) . 

In this example, not all 5-models of &i. a will be in the range of p, for example 
by the Lowenheim-Skolem theorem there are models of this theory where there 
are countably many objects of sort set, hence the sort of sets cannot be a full 
powerset in these models. Models of <9/ >CT are called weak models in the theoretical 
foundations of higher order theorem provers. 

Example 3. Let S be a first order logic with a designated binary symbol T is 
now ordinary first order logic, not using -< in any of its signatures. For M aT- 
model of signature a, let p (. M ) be an expansion of M to crU{-(} by interpreting 
-< as a well-ordering of the universe. It is a well-known consequence of the axiom 
of choice that this is always possible. Then, the schema of transfinite induction 

Vx (Vy (y -< x -> H (y)) -> H (x)) -> \/z (if (z)) 

can be included in the theory Oi,„ for each formula H of signature er U {^} and 
can be used by theorem provers for the source logic S. Again, there will be weak 
models, i. e. models of <9/ iCr , where the ordering -< is not a well-founded. 

The following theorem states that the existence of an interpretation of a 
target logic T in source logic S justifies the use of translations of theorems from 
5 in T. 




140 Ingo Dahn 



Theorem 1. Let I be an interpretation of the logic T in the logic S. Let a £ E 1 , 
r C <P^ , A £ Then v(T) U <9j, ct Hf( CT ) V {A) implies that T \=f A, where 
v (T) denotes the image of T under v. 

Proof. If M is a T-model of T, then p (M) must be an 5-model of v (T) U 
<9/,er- Hence, p ( M ) is also a model of v (A) and therefore M must be a model 
of v (A') .qed 

We mention that the converse of the theorem holds under the additional 
assumption that there are no weak models, i.e. Modf^ (<9/,<r) is the image of 
Mod p under p. 

Having an interpretation of a logic T in a logic S does not mean that there 
is a procedure to translate proofs from a calculus for S into proofs in a calculus 
for T. Thus, in the third example above, proofs in a calculus for S can make 
use of transfinite induction, which cannot be translated directly in ordinary first 
order logic. If a calculus for T is complete, then it can merely be said that there 
must be a proof of the sentence A from T in this calculus. 

4 Basic Properties of the Mizar Mathematical Library 

The Mizar Mathematical Library is a collection of mathematical papers 
(articles), written in the Mizar language. This library has evolved over more 
than 10 years and consists of more than 20.000 theorems. 

All theorems in the Mizar Mathematical Library are proved from the 
axioms of Tarski- Grothendieck set theory (see [Ta38]). This is a set theoretic 
system, stronger than the more familiar system of Zermelo and Fraenkel 
with the axiom of choice. Especially, there is an unbounded class of strongly 
inaccessible cardinals. 



4.1 On the Mizar Type System 

Tarski- Grothendieck set theory is formulated in first order logic using vari- 
ables for objects of a single type - set. Basic symbols are only the equality 
symbol = and the membership symbol £. Mizar treats also the real numbers, 
the natural numbers and the arithmetic operations as primitive. However, from 
a theoretical point of view, these could be introduced as derived concepts. 

There are some tools to introduce new types - called modes - in Mizar. All 
these types are subtypes of set , i.e. ultimately, every object occurring in formulas 
in the Mizar Mathematical Library is a set. Since = and £ take arbitrary 
arguments of type set, there can occur also arguments of all other types on both 
sides of these symbols. [MLC99] is the official description of the Mizar syntax. 

Given types can be restricted by additional properties, called attributes. At- 
tributes are predicates with a designated argument. We call the other arguments 
parameters of the attribute. When a type S i is introduced by restricting a type 
S (the mother mode of Si in Mizar terminology) by attributes Ai,...,A n , this 




Interpretation of a Mizar-Like Logic in First Order Logic 



141 



means that Si is exactly the type of all objects of type S that satisfy the ad- 
ditional conditions A\,...,A n . Parameters of S\ are the parameters of S and the 
parameters of the attributes. This restriction of a type can also be paraphrased 
by saying that Ai,...,A n are the conditions that permit an object of type S also 
to have the subtype Si. The meaning of the attributes must have been defined 
before. The characteristic property 

V (A : S) {A 1 (I)A...A4(I)«3(y : S) (Y = A)) (1) 

can be used only when it has been proved that there is an object of type S that 
satisfies A\,...,A n . 

Whenever a denotes a set, it is possible to introduce the type element_of (a). 
For example the type of real numbers is constructed in this way from the set 
of real numbers. Whenever element_of (a) is introduced by the user, Mizar 
generates the obligation to prove that a is nonempty. The characteristic property 

V ( A : set) ( A £ a <-> 3 (Y : element_of (a)) (Y = A)) (2) 

can be used only when this proof obligation has been satisfied. 

a used in the example above, can be a term with parameters. E.g. a can be 
p (X) where p denotes the power set functor and X is a variable for sets. Then 
it is possible to prove a sentence like 

\/X (V (Y : element.of (p(A))) Fcl). 

In this way, type constructors can have object parameters. All variables must 
be bound by quantifiers. This applies especially to variables which occur as 
parameters in terms that denote types (modes). 

When a new mode is introduced in Mizar, all parameters that are used must 
have modes which have been defined before. Therefore, no variable can occur as 
a parameter in its own type. 

A Mizar signature is a (possibly infinite) sequence of mode, functor 1 and 
predicate declarations, such that each declaration uses only concepts that have 
been defined before. 

For each type there is an infinite number of variables of this type. Variables 
of types with different declarations are different. When a predicate or functor 
symbol expects as nth argument according to its declaration an object of type S, 
then all terms occuring at this position must have a declared value of a subtype 

of 5. 

In the formation of Mizar formulas, the definition of a quantified formula is 
restricted by the following condition. 

If F is a well formed formula and A is a free variable of F, then 3X F and 
VA F are well formed formulas if and only if none of the variables occuring as 
parameters in the type of A is bound by a quantifier inside F. 

1 We follow the Mizar usage to speak of functions when certain objects are meant 
and of functors when we mean the function symbols of a signature of the Mizar 
logic. 




142 Ingo Dahn 



For example, 



MX : set MY : element _of(p(X)) Y Cl 
is well formed, while 

MY : element _of(p(X)) MX : set Y C X 



is not. 

Theories, theorems and proofs in Mizar contain only sentences, i.e. formu- 
las without free variables 2 . Hence, the outermost quantifiers of such sentences 
quantify variables with ground types. Such variables can be instantiated with 
ground terms only and such an instantiation will make the type terms of the 
next-inner variables of the sentence ground etc. 

Type checking can be done algorithmically in the Mizar type system. More 
precisely, each functor symbol t must be declared in Mizar with a unique minimal 
type S. Of course, values of t will also have all types of which S' is a restriction. 
The Mizar parser may introduce tacitly hidden arguments of t in order to make 
sure that all parameters of S are determined by the arguments of t. Especially, 
the value type of a ground term will be ground. It is also possible that t can 
be proved to be equal to an object of a different type. For example, it can be 
proved that empty lists of elements of different types are equal. This way of 
reconsidering an object as an object of a different type must be justified by a 
proof also in Mizar. 

As we stated above, Mizar adds internally type parameters to terms in order 
to ensure the uniqueness of the value type. For the following we strengthen this 
by requiring that all type parameters of the value type of a functor declaration 
occur as parameters of the functor. 



4.2 Semantics of Mizar Types 

Models of the logic of the Mizar Mathematical Library are models of 
Tarski- Grothendieck set theory. Subsequently we assume that such mod- 
els exist, i.e. that the Mizar logic is consistent. 

set is the top type of the Mizar type system. Consequently, the universe of 
models of the Mizar logic consists of all objects of type set. 

These models are augmented by predicates for Mizar modes (types). These 
predicates have a designated argument (say, the first) for the objects of the given 
type and potentially other arguments for the parameters. 

n-ary predicate symbols are interpreted as n-ary relations over the universe. 
A predicate may require arguments of particular types in sentences. In these cases 
we do not care about the behaviour of the relation outside these types, since the 

2 This may not be apparent from Mizar articles since quantifiers may be ommitted 
for better readability or hidden in declarations which are valid for larger sections of 
such an article. 




Interpretation of a Mizar-Like Logic in First Order Logic 143 

truth value of well formed sentences will only depend on the interpretation of 
the predicate for legal values of the arguments. 

Let / be an n-ary functor symbol of a with arguments of type Si,.... S n 
and values declared to be of (minimal) type S. Then, in a Mizar interpretation 
of a, / must be interpreted as an n-ary mapping from the universe of the model 
into itself such that for all instantiations p of the arguments of / and of the 
type parameters of Si, . . . , S n for which the instance a,; of the z-th argument of 
/ satisfies the type predicate of Sip, the value of the mapping at (ai, . . . , a n ) 
satisfies the type predicate of S. 

It may happen - given a Mizar theory which has a model - that such a 
mapping does not exist on that model for some freely chosen new declaration 
of /. In this case, these declarations are inconsistent with the given theory and 
there is no Mizar model to interpret. 

In order to define the truth value of a sentence in a Mizar model, for each 
ground type and each member of the model’s universe, a constant of that type 
is added to the signature. This constant is canonically interpreted as the corre- 
sponding element. This process is repeated a countable number of times. Note 
that this repetition does not create new types but only adds more notations 
for types that have been generated in the first step. Then, for this extended 
language, the truth value of a sentence is defined as usual by induction on the 
complexity of the sentence. 

For example, 3X : S F(X) is true in the model if and only if F(a) is true for 
some constant of type S. 



4.3 A Remark on the Power of the Mizar Type System 

It is important to note that terms denoting types can have only object variables 
- there are no type variables in Mizar. Nevertheless, type constructors known 
from type systems of other logics, can be modelled even in a restricted subsystem 
of Mizar. 

From a set theoretic point of view, types in Mizar denote classes. Some of 
these classes are so small that they can be represented as sets. We may call a 
type S small if 

3 (X : set) V {Y : S) {Y € X) 

can be proved. Then, by the collection schema, it can be proved that there is 
some a such that objects of type S are exactly the objects of type element _of (a). 

Functions are special sets. Hence the semantics of the type of all functions is 
given by a predicate which selects all objects of type set that satisfy a certain 
property (being f unction — like). If a and b are objects of type set, it is possible 
to define the type of all functions from a into b by a predicate that selects those 
functions with domain a and range being a subset of b. 

But when Si , S2 are small types represented as 



element_of (ai) , element_of (02) , 




144 Ingo Dahn 



it can be even proved that the class of all functions taking arguments of type Si 
and having values of type S2 is small, i.e. there is an object function (ai, (12) of 
type set which describes exactly the type of all functions from a\ into 02- Hence 
this type can be introduced as 

elements f ( function (ai, <22)) . 

Using the Mizar f unction type constructor it should be possible to interpret 
classical logics based on the type system used by A-calculus (e.g. the logic of the 
HOL system) in the Mizar logic. However, this is outside the scope of the 
present paper. 

5 Interpretations of Mizar Formulas in First Order Logic 

Currently, the most advanced automated theorem provers take formulas in un- 
typed first order logic as input. In order to apply them to extend a library of 
formulas - like the Mizar Mathematical Library - the logic of the library 
must be interpreted in untyped first order logic. We propose some way to do this 
for the Mizar logic. 

There is a naive interpretation of the Mizar logic in first order logic by 
expanding all definitions. For example, VX : elements f (a) H (X) translates 
into 

VX : set (X G a -> H (X)) . 

Given a type S\ as the restriction of the type S by the attributes Ai, . . . , A n as 
described in section 4.1, then a Mizar formula VX : Si H (X) could be translated 
into 

\/Y : S (Ai (Y) A ... A A n (Y) - H (Y)) . 

This process could be continued until there remain only variables of type set. 
When the resulting formulas are handed over to a first order theorem prover, 
the prover has to solve many proof obligations to ensure the type correctness 
conditions. For example, to prove H (a) for an object a of type Si from the 
assumption VX : Si H (X), the assumptions Ai (a ) , . . . , A n (a) have to be con- 
firmed. This creates heavy deductive overload, especially for provers working 
with depth bound strategies. 

The following interpretation intends to carry over algorithmic typechecking 
from Mizar to automated theorem provers by encoding type information into 
terms in order to prevent the generation of additional proof problems due to type 
checking obligations. The interpretation will work on a large class of formulas 
from the Mizar logic (not only on clauses). Running a resolution prover on an 
interpreted Mizar theory will yield a unification failure when the prover tries to 
bind a term to a variable which does not have an appropriate type. Restrictions 
of this method are discussed in the last section. In the following, the Mizar logic 
takes the role of the target logic T and first order logic is the source logic S. 
Recall that an interpretation does not necessary entail a possibility to translate 
proofs in the target logic into proofs in the source logic. Thus we shall not 




Interpretation of a Mizar-Like Logic in First Order Logic 



145 



be concerned with the problem of translating proofs from automated theorem 
provers into proofs in the Mizar logic. 

Let M be a model of Tarki-Grothendieck set theory and let 

S (x, Ml, ...,u n ) 

be a Mizar mode, seen as a predicate with argument x and parameters U\ , . . . , u n . 
For all ai, . . . , a n € |M|, where \M\ denotes the universe of M 

{x G \M\ : M \=l S (x, ai, . ..,a n )} ^ 0. 

Hence, there is an n + 1-ary function fs on \M\ such that 

M \= a S ( fs (u, ai, . . • Q>n) i Up • • • i Un) 

for all a, ai, . . . , a n G \M\ and fs (a, a 1 , . . . , a n ) = a if M j= S (a, ai, , a n ). 
This means that fs (x, a 1 , . . . , a n ) maps \M\ into the interpretation of 

S (x,ai, ...,a n ) 

in AI and is the identity on the set of elements that satisfy this relation. 

Note that fs can be introduced as the Skolem function needed to eliminate 
the existentioal quantifier in the formula 

VX,U U ..., U n 3Y (S (Y, U u . . . , U n ) A (5(X, U u . . . , U n ) - Y = X)) . 

The following Lemma is an immediate consequence of this definition of fs- 

Lemma 1. Let U = {x G \M\ : M \=^ S (x, ai , . . . , a n )} and let fs also denote 
the unary function defined by fs (x, ai, . . . , a n ). Then 

— U is the range of fs, 

— fs is idempotent on U, 

— the following conditions are equivalent for all x G |M|: 

1 . xeU, 

2 - fs 0) = X. 

3. x is an object of type S with parameters ai, . . . , a n . 

A Mizar signature a consists - beside the type of all sets and the predicate 
symbols = and G - of a set of user defined Mizar modes, relations and functors. 
Our interpretation does not need a restriction on the admissible signatures, i. 
e. S 1 = Sr- For each Mizar signature a let 1 . (a) be the first order signature 
which contains beside = and G these symbols and new n + 1-ary functors fs for 
each Mizar mode S from a with n parameters. 

If M is a Mizar model of such a sorted signature a, then let /i (M) be the 
first order model of signature 1 (a) with the same universe as M, G as in M, and 
the remaining relations and functors defined as follows. 




146 Ingo Dahn 



Relations are defined as in M for arguments in their specific domains. If one 
of the arguments in p, ( M ) is outside this domain, we fix a truth value for this 
relation in an arbitrary way. 

Similarly, functors are interpreted in /i (M) on their domains in M as in M 
and in an arbitrary but fixed way for the remaining arguments. 

The new functors fs are interpreted as described above. This completes the 
description of the mappings t and /i. We complete our definition of an interpre- 
tation of the Mizar logic into first order logic by giving the description of the 
mapping v which translates Mizar formulas into first order formulas and the 
description of <9/ j(T . 

In fact, we shall extend v to work on well formed terms in the Mizar logic. 
v{H ) will be defined by recursion on the structure of H. However, the induction 
schema has to be chosen carefully, since the type declarations of variables and 
functors may contain complex terms. 

Let H be a well formed sentence in the Mizar logic. Without loss of gener- 
ality we can assume that each variable is bound in H by exactly one quantifier. 
If necessary, this can be achieved by renaming of variables. The ordering -< on 
the variables of H is defined as follows. 

Definition 4. X -< Y if and only if the quantifier that binds Y in H is in the 
range of a quantifier that binds X. 

Note that variables that are bound by the outermost quantifiers of H are 
minimal with respect to this ordering. Moreover, all variables in terms occuring 
as instances of parameters of the type of a variable X are below X. 

u> denotes the first infinite ordinal. If G is a subformula or subterm of H , the 
rank of G is an ordinal number defined as follows. 

Definition 5. Let 

n = ma x({card{X \ X -< Y} + 1 | Y occurs in G} U {0}). 

Let d be the term depth of G 3 Then let 

rank(G) = u ■ n + d. 

Note that a proper subterm of a term has a strictly smaller rank than the 
term itself. Moreover, if the variable X occurs in a term t and the parameters 
of the type of X are instantiated with the terms than the ranks of 

ti, ... ,t n must be strictly smaller than the rank of X, since their variables are 
strictly below X. Moreover the rank of X is not bigger than the rank of t. 
The rank of ground terms is the ordinary term depth. When t is a term with 
outermost functor symbol /, by our provision on (hidden) functor arguments of 
/, the parameters of the value type of t have a rank which is strictly less than 
the rank of t. 

3 Formulas are considered as terms in an extended signature where logical connectives 
and quantifiers are considered as ordinary operators. 




Interpretation of a Mizar-Like Logic in First Order Logic 



147 



Now we define v(H) by transfinite induction on the rank of subterms and 
subformulas of H 4 . Hence we can assume that v has been already defined for all 
proper subformulas, subterms and type parameters. 

When X is a variable of a type S with parameters u\ , . . .,u n let 

v ( x ) = fs (X, v (m) («„)) . 

Whenever / is a functor of cr taking arguments of type Si , . . . , S n and declared 
as giving values of type S, ti, ... ,t n are terms of type S \, . . . , S n respectively, 
we define 

v (f (tl, • • • , tn)) = fs (f (v (h) ,...,v (t n ))) . 

Especially, if / is a constant, then v (/) = fs (/). Note that by the definition of 
fs above 

M(M) \=%f s (f)=f. 

If r is a predicate, then let 

v ( r (ti, . . . , t n )) =r{v (ti) , . . . , v (t„)) . 

i.e. relation symbols are not changed. This is of special importance for the 
equality predicate, since it gives provers a chance to utilize their special treat- 
ments of equality, v distributes over quantifiers and propositional operators. 
Especially, variables following a quantifier remain unchanged. The theory 6*/ )<T 
contains beside the axioms of Tarski- Grothendieck set theory additional in- 
formations on the declarations in use. When / is a functor as above, we add to 
<9 j, ct the universal closure of 

fs(f(v(X !),..., V (X n ))) = f(v (Xi) (X n )) (3) 

where X \, . . . , X n are variables of type S\. ... . S n respectively. Moreover we add 

MX f set {X) = X 

and 

\/Xfs(fs(X)) = f s (X) 

When the type Si is defined by restricting the type S by the attributes Ai,...,A n , 
we add 

VX (Hi (f s (X)) A ... A A n (f s (X)) ~ f Sl (fs (X)) = f s (X)) (4) 

VX (f s (f Sl (X)) = f Sl (X)) 

When S is defined as element _of (a), 

MX (X € v (a) <- f s (X) = X) 

is added to T) a . 

4 Readers not acquainted with transfinite induction might prefer to map the finite 
number of ordinals which occur as ranks of subterms and subformulas of H in an 
order-preserving way onto an initial segment of natural numbers and to use ordinary 
induction on these modified ranks. 




148 Ingo Dahn 



Theorem 2. I as defined above by the mappings l, p, v and the first order the- 
ories 0i )CT is an interpretation of the Mizar logic into untyped first order logic. 

Proof. The first thing to show is, that first order models in the range of p 
satisfy Since € and = are not changed by /i, a model p ( M ) must be a 

model of Tarski- Grothendieck set theory, since the Mizar model M is. 

If / is a functor symbol that is declared to take arguments of type Si , . . . , S n 
and to yield a value of type S, 3 expands into 

fs (/ (f Sl (*i) , . . • , fs n (*„))) = f (f Sl (Xi) ,...J Sn (X n )) 

(we discard parameters of the argument types to simplify the notation). Now 
let ai, . . .,a„ be arbitrary elements of \p(M)\ = \M\. Then for i = 1 . . .n we 
have Si ( fs \ (a*)) b y the definition of /s 4 . Hence fs 1 (ai) , . . . , fs n (a„) are in 
the domain of / and hence S (/ (fs 1 (ai) , . . . , fs n (a n ))). Therefore, since fs is 
defined to be the identity on S, 

fs (/ (/si (ai) ,---,fs n (an))) = f (/si (ah) ,...,fs n (a„)) • 

Since the hole universe of M consists of elements of type set and this must be 
the range of f se t . The functions fs are the identity on their respective ranges, 
hence f se t is the identity. 

Now suppose Si is defined by restricting the type S by the attributes Ai,...,A n . 
Let a £ \M\ be arbitrary and let b = fs (a). Hence 

M |=J (Hi (6) A ... A H„ (b) 3X : Sib = x) 

by (1). The right hand side of this equivalence means that Si ( b ) holds and is 
by Lemma 1 also equivalent with fg 1 (b) = b. Now, replacing b by fs (A), we 
confirm (4). b is also a member of the set of all objects of type S, on which fs is 
idempotent. Hence, also fs (/sj (a)) = fs 1 (a). The last sentence of 6>/ )<T reflects 
similarly (2). 

The remaining third condition of the definition of an interpretation states, 
that the translation v does not change the truth value of Mizar sentences. First 
we show by induction on the form of t that for each legal Mizar term t and for 
each instantiation of its variables the value of t in M equals the value of v (t) in 
/i (M). More precisely, a nested induction is required, where the outer induction 
goes over the number of parameters occurring in the involved types. 

If t is a variable of sort S, then the value of t satisfies the predicate charac- 
terizing S, hence t = fs (t) = v ( t ). If t is a compound term f (ti, ... ,t n ) where 
/ is declared as above, then by induction hypothesis 

v ( t ) = fs (/ (v (h) (t n ))) = f s (/ (ti , . . . , t n )) = f (ti, ...,tn) = t 

by Lemma 1. 

The truth value of atomic formulas has not been changed for arguments of the 
sorts admitted according to the Mizar declarations. Only such arguments occur 




Interpretation of a Mizar-Like Logic in First Order Logic 



149 



in translations of legal Mizar formulas by v. The induction over propositional 
connectives is trivial. 

Now, consider a Mizar formula 3X : S H (X). 

v{3X : SH{X)) = 3 Xv{H{X)) . 

If M \=J 3X : S H (X), say M \= J H[a/X] for some a such that S (a), then 
fj, (M) Hf( CT ) Hence n (M) h=f( CT ) 3Xis(H (X)). Conversely, assume 

that 11 ( M ) Hf( CT ) 3X v ( H (X)), say \x ( M ) Hf( CT ) v (H ( a ))- a need not be of sort 
S, but we can observe, that X occurs inside H always inside fs- Moreover by 
Lemma 1 fs {fs (a)) = fs (a) Therefore, the element b = fs (a) = fs ( b ) is of sort 

5 and we have that also n (M) Hf( CT ) v {H (&))> hence M \=^ H (6). This yields 
M |=^ 3X : S H (X). The universal quantifier can be treated similarly.qed 

6 Modifications 

Consider the following sentence which states that each relation can be extended. 

VH: set's! B: set's! C : set{A CB-t VF: relation(A , C)3G: relation{B, C)F C G ). 

Let fs-fr denote the function symbols introduced for the type constructors set 
and relation. Then this sentence is translated by the method described in the 
last section into 

VHVFVCU(H) C f s {B) -+ VF3Gf r (F 1 f s (A ), f s {C)) C f r (G, f s (B ), f s {C))). 

Note that this translation is performed prior to generating clauses for a 
prover. Since f s is the identity function, it can be omitted. The resulting formula 
yields the clause 

AC B —> f r (F, A, C) C f r {s{A, B, C, F),B , C), 
where s is a new Skolem function. 

Suppose we want to infer that each functions can be extended in a similar 
way to a relation, where functions are defined as special relations. // denotes 
the function symbol introduced for the function type constructor. The negated 
goal gives the clauses 

a C b 

~'ff(h{a, b, c),a, b) C f r (G, b, c) 

for new Skolem symbols a, 6, c, h. Since relations are functions, the theory de- 
scribing the interpretation yields 

Mff(X, A, B),A, B) = f f {X, A, B). 

Hence, // can be replaced already in the non-clause form by a term starting 
with f r . Then a simple resolution step completes the proof. 

On the other hand, as expected, it cannot be proved from the above formula 
that each function can be extended similarly to a function with an extended 
domain. 




150 



Ingo Dahn 



7 Discussion 

The interpretation we have given encodes type information into first order terms. 
It is a general purpose interpretation working for any target first order prover. 
It has been especially useful in experiments with provers that communicate at 
runtime within the ILF system [DGHW97]. In order to save time during the 
communication it was necessary to use the same type encoding for all provers. 
When working with a single prover, better results may be achieved by taking 
specific properties of the prover or the actual proof problem into account. The 
ideal solution might be an automated prover having unification implemented in 
an exchangeable module, so that various type checking algorithms can be used. 

For example the Spass prover treats unary predicates as types [GaMeWe97] 
and tries to detect type clashes early. Hence, for this particular prover, the naive 
interpretation which translates quantification of typed variables into quantifica- 
tion relativized by type predicates, is most efficient - at least for the monomor- 
phic case. For Spass, the theory <9j, ct contains axioms describing the declaration 
of functor symbols and for each type an axiom saying that it is not empty. 

[Mel88] proposes a method for encoding monomorphic types that translates 
also checking the subtype relation into unification problems. This method intro- 
duces new variables into the terms. These auxiliary variables in the first order 
clauses can lead to a larger search space, unless they are treated in a special way 
by the automated provers. 

The input language of some provers (e. g. 3TaP and ProTeln) supports the 
encoding of monomorphic tree-like type systems in clauses. When our method is 
applied in this situation and the modifications described in the last section are 
applied, our encoding will differ from them only by using nested functor symbols 
instead of additional list arguments. Since both encodings lead to unifiability 
checks of the same complexity, they can be considered as being of equal power. 
But our interpretation has the advantage that it works also on non-clauses and 
can deal with object type parameters. 

In the interpretation given above we have made some simplifications com- 
pared with the full Mizar language. We have not considered the set constructor, 
which, given a set object a and a formula H , constructs an object representing 
the set of all x £ a such that H (x). This leads to the phenomenon that terms 
can contain formulas. Handling this situation requires an additional induction 
over a countable hierarchy of formulas such that terms of level n + 1 can contain 
formulas of level n. 

We also did not consider types that are defined as classes of structures. This 
is not a severe restriction since the Mizar constructors and selectors of structure 
classes can be translated into ordinary functors. Overloading of functors poses a 
serious limitation to the interpretation given here. In Mizar it occurs in the form 
of redefinitions of value types. They redeclare the value type of a term depending 
on the types of the arguments. These redeclarations cannot be encoded into the 
term structure such that type checking is performed during unification in first 
order theorem provers. The reason is that unification works without backtracking 
from terms to their arguments. It cannot correct a unification clash when it 




Interpretation of a Mizar-Like Logic in First Order Logic 



151 



discovers that arguments carry encodings of a more specific type. Nevertheless, 
it is possible to express overloading by first order formulas so that it can be 
handled by deductive means. 

Recently, Christoph Wernlrard has extracted 47 new proof problems for first 
order provers from an article in the Mizar library with the ILF system. Unlike 
earlier test suites, these problems make use of a polymorphic type constructor. 
The proof problems can be downloaded from the following URL: 

www-irm . mathematik . hu-berlin . de/~ilf /miz2atp/ download . html 
These problems use the naive translation mentioned above. They are formu- 
lated such that the involved type information can be easily recovered. Authors 
of theorem provers are encouraged to modify their provers in order to make effi- 
cient use of the type information contained in the problems. The interpretation 
given above intends to be just one step into this direction. 



References 

[Ba74] K. J. Barwise: Axioms for abstract model theory; Arm. Math. Logic vol. 7 
(1974), 221-265 

[DahWer97] I. Dahn, C. Wernhard: First Order Proof Problems Extracted from an 
Article in the MIZAR Mathematical Library. RISC-Linz Report Series, No. 97-50, 
pp. 58-62, Johannes Kepler Universitat Linz, 1997. 

[DGHW97] B. I. Dahn, J. Gehne, Tli. Honigmann, A. Wolf: Integration of Automated 
and Interactive Theorem Proving in Ilf. In Proc. CADE-14, pp. 57-60, Springer, 
1997. 

[GaMeWe97] H. Ganzinger, C. Meyer, C. Weidenbach: Soft Typing for Ordered Reso- 
lution. In Proc. CADE- 14, pp. 321-335, Springer, 1997. 

[Mel88l Mellish, C. S.: Implementing Systemic Classification by Unification. Comp. 
Ling. 14, 1988, pp 40 - 51 

[MLC99] The Mizar Library Committee: Syntax of the Mizar Language. 

http://www.mizar.org/language/syntax.txt 

[Rud92] P. Rudnicki: An Overview of the Mizar Project. Proceedings of the 1992 Work- 
shop on Types for Proofs and Programs, Chalmers University of Technology, Bas- 
tad 1992. 

[Ta38] A. Tarski ”Uber unerreichbare Kardinalzahlen, Fund. Math., vol. 30 (1938), 
pp. 68-69 

[Try93] A. Trybulec: Some Features of the Mizar Language, ESPRIT Workshop, Torino 
1993. 

[WiGe97] G. Wiederhold, M. Genesereth: The Basis for Mediation. To appear IEEE 
Expert 




An 0((n • logn) 3 )-Time Transformation from 
Grz into Decidable Fragments of Classical 
First-Order Logic 



Stephane Demri 1 and Rajeev Gore 2 * 

1 Laboratoire LEIBNIZ - C.N.R.S. 

46 av. Felix Viallet, 38000 Grenoble, France 
demri@imag.fr 

2 Automated Reasoning Project and Dept, of Computer Science 
Australian National University, ACT 0200 Canberra, Australia 

rpgSarp . anu . edu . au 



Abstract. The provability logic Grz is characterized by a class of modal 
frames that is not first-order definable. We present a simple embedding of 
Grz into decidable fragments of classical first-order logic such as FO 2 and 
the guarded fragment. The embedding is an 0((n.log n) 3 )-time transfor- 
mation that neither involves first principles about Turing machines (and 
therefore is easy to implement), nor the semantical characterization of 
Grz (and therefore does not use any second-order machinery). Instead, 
we use the syntactic relationships between cut-free sequent-style calculi 
for Grz, S4 and T. We first translate Grz into T, and then we use the 
relational translation from T into FO 2 . 



1 Introduction 

Propositional modal logics have proved useful in many areas of computer science 
because they capture interesting properties of binary relations (Kripke frames) 
whilst retaining decidability (see e.g. [Var97,Ben99]). By far the most popular 
method for automating deduction in these logics has been the method of ana- 
lytic tableaux (see e.g. [Fit83,Rau83,Gor99]), particularly because of the close 
connection between tableaux calculi and known cut-free Gentzen systems for 
these logics. 

An alternative approach is to translate propositional modal logics into clas- 
sical first-order logic since this allows us to use the wealth of knowledge in first- 
order theorem proving to mechanize modal deduction (see e.g. [Mor76], [Ohl88], 
[Her89], [dMP95], [Non96], [Ohl98]). Let FO" be the fragment of classical first- 
order logic using at most n individual variables and no function symbols. Any 
modal logic characterized by a first-order definable class of modal frames can 
be translated into FO" for some fixed n > 2. The decidable modal logic K4, 
for example, is characterised by transitive frames, definable using the first-order 

* Supported by an Australian Research Council Queen Elizabeth II Fellowship. 



R. Caferra and G. Salzer (Eds.): Automated Deduction, LNAI 1761, pp. 152—166, 2000. 
(c) Springer- Verlag Berlin Heidelberg 2000 




An 0((n • logn) 3 )-Time Transformation from Grz 



153 



formula (Vx, y, z)(R(x, y) A R(y, z ) => R(x, z)) containing 3 variables. Since FO 3 
is undecidable and FO 2 is decidable, translating K4 into first-order logic does 
not automatically retain decidability. Of course, the exact fragment delineated 
by the translation is decidable. The only known first-order decision procedure 
for that particular fragment except the one that mimicks the rules for K4 is the 
one recently published in [GHMS98]. Therefore, blind translation is not useful 
if this means giving up decidability. 

Moreover, it is well-known that many decidable propositional modal logics 
are characterised by classes of Kripke frames which are not first-order definable, 
and that the “standard” relational translation (see e.g. [Mor76,Ben83]) is unable 
to deal with such logics. The class of such “second order” modal logics includes 
logics like G and Grz which have been shown to have “arithmetical” interpre- 
tations as well as logics like S4.3.1 which have interpretations as logics of linear 
time (without a next-time operator) [Gor94] . 

Somewhat surprisingly, faithful translations into classical logic (usually aug- 
mented with theories) have been found for some propositional modal logics even 
when these logics are characterized by classes of frames that are not first-order 
definable. For instance, the modal logic K augmented with the McKinsey axiom 
is captured by the framework presented in [Ohl93] . Similarly, the provability 
logic G 1 that admits arithmetical interpretations [Sol76] is treated within the 
set-theoretical framework defined in [dMP95] . Both techniques in [Ohl93,dMP95] 
use a version of classical logic augmented with a theory. Alternatively, G can also 
be translated into classical logic by first using the translation into K4 defined in 
[BH94] and then a translation from K4 into classical logic (see e.g. [Ben83]). 

The fact that G can be translated into a decidable fragment of classical logic 
follows from a purely complexity theory viewpoint, as shown next. Take a modal 
logic £ that is in the complexity class C and let C' be another complexity class. 
Here a logic is to be understood as a set of formulae and therefore a logic is 
exactly a (decision) problem in the usual sense in complexity theory. That is, as 
a language viewed as a set of strings built upon a given alphabet. By definition 
(see e.g. [Pap94]), for any fragment of classical logic that is C-lrard with respect 
to C' many-one reductions 2 , there is a mapping / in C' such that any modal 
formula (f> £ £ iff f((f>) is valid in such a first-order fragment. From the facts that 
G is in PSPACE (see e.g. [BH94,Lad77]), validity in FO 2 is NEXPTIME 
hard [Fur81] (see also [Lew80]) and PSPACE C NEXPTIME, it is easy to 
conclude that there exists a polynomial-time transformation from G into validity 
in FO 2 . 

As is well-known, this illustrates the difference between the fact that a propo- 
sitional modal logic K + cf> is characterised by a class of frames which is not 
first-order definable, and the existence of a translation from K + cf> into first- 
order logic. The weak point with this theoretical result is that the definition of 
/ might require the use of first principles about Turing machines. If this is so, 
then realising the map / requires cumbersome machinery since we must first 

1 Also called GL (for Godel and Lob), KW, K4W, PrL. 

2 Also called “transformation”, see e.g. [Pap94]. 




154 Stephane Demri and Rajeev Gore 



completely define a Turing machine that solves the problem. This is why the 
translations in [Ohl93,BH94,dMP95] are much more refined and practical (apart 
from the fact that they allow to mechanise the modal logics under study). 

Another well-known modal logic that is characterized by a class of modal 
frames that is not first-order definable is the provability logic Grz (for Grzegor- 
czyk). The main contribution of this paper is the definition of an 0{n.log n)-time 
transformation from Grz into S4, using cut-free sequent-style calculi for these 
respective logics. Renaming techniques from [Min88] are used in order to get 
the 0(n.log n)-time bound. Then, we present a cubic-time transformation from 
S4 into T, again using the cut-free sequent-style calculi for these respective log- 
ics. Both reductions proceed via an analysis of the proofs in cut-free sequent 
calculi from the literature. The second reduction is a slight variant of the one 
presented in [CCM97] (see also [Fit88] ) . The reduction announced in the title 
can be obtained by translating T into FO 2 , which is known to be decidable 
(see e.g. [Mor75]). Furthermore, the formula obtained by reduction belongs to 
the decidable guarded fragment of classical logic (see e.g. [ANB98]) for which a 
resolution decision procedure has been defined in [Niv98] . 

In [Boo93, Chapter 12], a (non polynomial-time) transformation from Grz 
into G is defined. By using renamings of subformulae, it is easy to extract from 
that transformation, an 0(n.log n)-time transformation from Grz into G [Boo93, 
Chapter 12]. There exists an 0(n)-time transformation from G into K4 [BH94]. 
There exists an 0(n 4 .log n)-time transformation from K4 into K using [CCM97] 
and renamings of subformulae. Finally, there exists an 0(n)-time transformation 
from K into FO 2 [Ben83]. Combining these results gives an 0{n 4 .(log n) 5 )-time 
transformation from Grz into FO 2 , a decidable fragment of first-order logic. 

The translation proposed in this paper is therefore a more refined alterna- 
tive since it requires only time in 0((n.log n) 3 ). As a side-effect, we obtain an 
0(n.log n)-time transformation from Grz into S4 and an 0((n.log n) 3 )-time 
transformation from Grz into T. Using the space upper bound for S4- validity 
from [Hud96], we obtain that Grz requires only space in 0(n 2 .(log n ) 3 ). We 
are not aware of any tighter bound for Grz in the literature. Furthermore, our 
purely proof-theoretical analyses of the cut-free sequent-style calculi, and some- 
times of the Hilbert-style proof systems, gives a simple framework to unify the 
transformations involved in [Boo93,BH94,CCM97]. As we intend to report in a 
longer paper, it is also possible to generalise our method to handle other “second 
order” propositional modal logics like S4.3.1 using the calculi from [Gor94] (see 
also [DG99] for a generalisation and extension in the Display Logic framework 
[Bel82]). This paper is a completed version of [DG98]. 

2 Basic Notions 

In the present paper, we assume that the modal formulae are built from a count- 
ably infinite set Foro = f {p 4 ■ : i,j € iv} of atomic propositions using the usual 
connectives □, =>, A. Other standard abbreviations include V,4=>, O. The set 

of modal formulae is denoted For. An occurrence of the subformula if) in cf> is 




An 0 ((n • logn) 3 )-Time Transformation from Grz 



155 



positive [resp. negative ] iff it is in the scope of an even [resp. odd] number of nega- 
tions, where as usual, every occurrence of <p\ => <j > 2 is treated as an occurence 
of —>(0i A — > 02 )- For instance dp 0 0 [resp. dp 0 -J has a positive [resp. negative] 
occurrence in (ddp 0 4) => (p 0 x A dp 00 ). We write mwp(<p) [resp. mwn{<p)] to 
denote the number of positive [resp. negative] occurrences of □ in 0. We write 
1 0 | to denote the size of the formula 0 , that is the number of symbols occurring 
in 0 . 0 is also represented as a string of characters. 

We recall that the standard Hilbert system K is composed of the following 
axiom schemes: the tautologies of the Propositional Calculus (PC) and Dp =>■ 
(□(p =>• q) => dq). The inference rules of K are modus ponens ( from p and 
p =>■ q infer q) and necessitation (from p infer dp) . By abusing our notation, we 
may identify the system K with its set of theorems, allowing us to write 0 £ K 
to denote that 0 is a. theorem of K. Analogous notation is used for the following 
well-known extensions of K: T = f K + dp => p, K4 = f K + dp => ddp, S4 = f K4 
+ dp => p and Grz = f S4 + d(d(p => dp) =>• p) => dp. Numerous variants of 
the system Grz (having the same set of theorems) can be found in the literature 
(see for instance [GHH97]). 

We call GT, GST and GGrz the cut-free versions of the Gentzen-style calculi 
defined in [OM57, Avr84] where the sequents are built from finite sets of formulae. 
Moreover, the weakening rule is absorbed in the initial sequents. For instance, 
the initial sequents of all the Gentzen-style calculi used in the paper are of the 
form r,<j)\- A, <j) where denotes set union. The common core of rules for the 
systems GT, GS4 and GGrz are presented in Figure 1. 

The introduction rules for d on the right-hand side are the following: 

r \- <j) dr b 0 

A, □ T b d0, A ( D ' )t A, dTb d0, zi ^ D ^‘ S4 



or, d (0 => d 0 ) 1 - <j) 
a, or P d0, a 



(F d)Grz 



where dT = {d ip : ip g T}. Moreover, we assume that in A, there is no 
formula of the form dip. This restriction is not essential for completeness (and for 
soundness) but it is used in the proof of Lemma 5 . Each rule (b d)r, (b 0)54 and 



r,<p\~ A, 4 > (initial sequents) 



Tb A,<p 
T, ->0 b A 



(~>F) 



r,<p\r A 
r b A,^<p 



(F -) 



r.oi.o -2 F. A 
T 01 A 02 F A 



(A b) 



TbA,0i T b A, 02 
r b A, 0i A 02 



(bA) 



T b A, 0i r, 02 A A r, 01 b A, 02 

r, 0i => 02 b a r b a, 0i => 02 



r, D0, 0 b A 
r, Q 0 b a 



(□b) 



Fig. 1 . Common core of rules 





156 Stephane Demri and Rajeev Gore 



(h □ )crz belongs respectively to GT, G54 and GGrz. For each C G {T, 54, Grz}, 
we know that for any sequent F b A, the formula (A^er 0) ^ 0) e 

C iff 3 the sequent r h A is derivable in G C (see e.g. [OM57,Avr84,Gor99]). 
Consequently, if r h A is derivable in G£, then so is A, A' b A. A'. 



3 A Transformation from Grz into S4 

Let / : For x {0, 1} — > For be the following map: 

- for any p € For 0 , /( p, 0) = /( p, 1) = p 

- /(“"A i) = “'/(<A 1 - *) for i G {0, 1} 

- /(</> l A</»2,i) = f{<t>i,i) Ff{fa,i) for * G {0,1} 

- /(A i => fa, *) = ffa l, 1 - *) => f(fa,i) for * G {0, 1} 

- /(□</>, i) = f □(□(/(</>> 1) => D /(<A 0)) => f(<j>, 1)) /(□</>, 0) = □/(&()). 

In ffa, i), the index z should be seen as information about the polarity of 4> 
in the translation process as is done in [BH94] for the translation from G into 
K4. Observe that if we replace the definition of /(□</>, 1) above by f(0<j>, 1) == 
□ (/(□((/> => Ufa => <j>, 1)), we get the same map. 

Since the rule of replacement of equivalents is admissible in Grz, one can 
show by induction on the length of <f> that for any <f> € For and for any i G {0, 1}, 
<j) <t=> ffa, i) G Grz. Moreover, 

Lemma 1. For any f) G For, <j) => ffa, 1) G K C 54 and ffa, 0) => (j) G K C 
54. 

Proof. The proof is by simultaneous induction on the structure of <f>. The base 
case when <f> is an atomic proposition is immediate. By way of example, let us 
treat the cases below in the induction step: 

(1) A (f>2 => ffai A fa, 1) G K (2) Ofa => f(D<j) i,l) G AT 

(3) /(“■</' 1,0) => — x^i G AT (4) f(Ufa,0) => Ofa G K. 

(1) By the induction hypothesis, fa => ffa i, 1) G K and fa => ffa 2 , 1) G K. By 
easy manipulation at the propositional level, fa A fa => ffa i, 1) A f(fa, 1) G AT. 
By definition of f, fa A fa => ffai Afa,l) G K. 

(2) By the induction hypothesis, fa => f(fa,l) G A'. By easy manipulation at 
the propositional level, fa => (□(/(^, 1) => Of fa, 0)) => f(fa,l)) G K. It is 
known that the regular rule (from fa =$■ fa infer Ofa => Ofa) is admissible in 
K. So, Ufa => □ (□(/((/>, 1) => Of fa, 0)) => /(<^i,l)) G I\. By the definition of 
/, Ufa => f[ufa, 1) G K. 

3 As is usual, the empty conjunction is understood as the verum logical constant T (or 
simply p 0 o V -ip 0 0 ) and the empty disjunction is understood as the falsum logical 
constant _L (or simply p 0 0 A ->p 0 0 ). 




An 0((n • logn) 3 )-Time Transformation from Grz 



157 



(3) By the induction hypothesis, 0i => /(0 i , 1) G I\. By easy manipulation at 

the propositional level, ->/(0 i,l) =>• ->0i G K. By definition of /, i,0) => 

->01 G K . 

(4) By the induction hypothesis, /(0i , 0) => 0i G K . Since the regular rule is 
admissible in K, □/(^>i,0) =>■ D0i G K. By the definition of /, /(□</>!, 0) 
□01 G K. 



Theorem 1 . A formula 0 G Grz iff /(0, 1) G ST. 

Proof. If / (0, 1) G S4, then a fortiori f((j), 1) G Grz, and since 0 <G> /(0, 1) G 
Grz, we then obtain 0 G Grz. 

Now assume 0 G Grz, hence the sequent b 0 has a cut-free proof in GGrz. 
We can show that in the given cut-free proof of b 0, for every sequent T b A 
with cut-free proof U ' , the sequent /(T, 0) b f(A, 1) admits a cut-free proof in 
GS4. Here, / is extended to sets of formulae in the natural way. So, we shall 
conclude that b /(0, 1) is derivable in GS4 and therefore /(0, 1) G S4. The proof 
is by induction on the structure of the derivations. 

Base case: When r b A is an initial sequent P' , 0 b 0, A', we can show that 
f{r', 0), /(0, 0) b /(0, 1), f(A' , 1) has a cut-free proof in GS4 since /(0, 0) =>• 
f (0, 1) G S4. By completeness of GS4, /(0, 0) b /(0, 1) has a proof in GST. 
Induction step : The structural rules pose no difficulties because by definition / 
is homomorphic with respect to the comma. By way of example, the proof step 
(in G Grz) 



or', n (0 => Q 0 ) b 0 
r, nr' b n 0 , a 



(b o) Grz 



is transformed into the proof steps (in GS4) 



nf(r\ 0), d(/( 0, l) => □/( 0 , Q)) b /( 0 , l) 

□/(r , o) b d(/( 0, l) =» a/(0, o)) => /(0, i) 1 J 
/(T, 0), n/(r , 0) b □(□(/(0, 1) =► n/(0, 0)) =► /(0, 1)), /(/\, 1) 



(I- °)S4 



The induction hypothesis is used here since □/(T / , 0), D(/(0, 1) □/(0, 0)) b 

/(0, 1) has a (cut-free) proof in GS4. Furthermore, by definition, 

- f(nr', 0) = □/(r,0); /(D0,1) = □(□(/(0,1) =► 0/(0, 0)) =► /(0, 1)); 

- /(n(0 =► D0), 0) = □(□(/(0, 1) =► D/(0, 0))). 

Observe that /(T, 0) does not contain any formula of the form □ 0 / . The proof 
(in G Grz) below left is transformed into the proof (in GS4) below right 



T,D0;0bZl /(T,O),n/( 0 ,O),/( 0 ,O)b/( 41 ) 

T,Q0bzi 1 j /(r,o),n/(0,o)b/(Ai) 




158 Stephane Demri and Rajeev Gore 



Indeed, /(□(/>, 0) = Of (ip, 0). The other cases are not difficult to obtain and they 
are omitted here. 

A close examination of / shows that / is not computable in 0(n.log n)-time. 
Indeed, the right-hand side in the definition of /(□</>, 1) requires several recursive 
calls to / and the computation of / is therefore exponential-time. However, we 
can use a slight variant of / that uses renamings as done in [Min88] . Specifically, 
we have, (Renaming) (p G 54 iff 0(p new ip) => (p' G 54 where (p ' is obtained 
from (p by replacing every occurrence of ip in <p by the atomic proposition p new 
not occurring in cp. 

Let (pbe a modal formula we wish to translate from Grz into S4. Let (pi, , 
(p m be an enumeration (without repetition) of all the subformulae of <p in in- 
creasing order with respect to the size such that the n first formulae are all 
the atomic propositions occurring in (p. We shall build a formula g((p) using 

j : 1 < i < m, j € {0,1}} such that g((p) € 54 iff f((p, 1) G 54. Moreover, 
g((p) can be computed in time 0(\(p\ .log |(/>|). For i G {1, . . . , in }, we associate a 
formula ipi as shown in Figure 2 and let g(<p) = (A™ i tA) =>■ P m \ - 

Lemma 2. 

(1) f((p, 1) G 54 iff g((p) G 54 (2) computing g((p) requires time in 0(\(p\. log |(/>|) 
(3) \g((p ) | is in 0(\<p\.log \<p\) (4) mwp(g((p)) + mwn(g((p)) is in 0{\(p\). 

Proof. (2)-(4) is by simple inspection of the definition of g((p). The idea of the 
proof of (1) is to effectively build g((p) from f((p, 1) by successively applying 
transformations based on (Renaming) . Such a process requires exponential-time 
in (p (since | f(<p, 1)| can be exponential in |()>|). However, we can build g((p) in a 
tractable way (see (2)-(4)) since g translates and renames simultaneously. 

(1) Let us build g((p) from f((p, 1) by successively applying transformations based 
on (Renaming). For any atomic proposition q = (pi occurring in f((p, 1), replace 
the positive [resp. negative] occurrences of q by p ; : [resp. p, 0 ]. Let us say that 
we obtain the formula ip (this shall be our current working formula). The con- 
straint formula, say C, is defined as C = A"=i n (P;.i ^ Pi.o)- Along the steps, 
we shall have that f((p, 1) G 54 iff C =$■ ip G 54. The next steps consist of re- 
placing subformulae ip' in ip by their renaming equivalent and then to update C 



Form of (pi 


ipi 


P 


n (Pi ,0 ^ Pi,l) 


-"A 


D (Pi,i ^ ^Pj.o) A n (p ! ,0 ^ _, p 3 ',i) 


<f>i 1 A (pi 2 


n (Pi,l ^ (Pii.l A Pi 2 ,l)) A D (Pi,0 ^ (Pi!,0 A Pi 2 ,o)) 


< f>i 1 =r” (f)i 2 


^(Pi,l ^ (Pii.O ^ P? 2 ,1 ) ) A D (P i ,0 ^ (Pii,l ^ Pi 2 ,o)) 


□<A 


n (Pi,i D ( D (Pj,l =► D Pj,o)) =► Pj,l)) A D (Pi,0 ^ D Pj,o) 



Fig. 2. Definition of ipi 





An 0((n • logn) 3 )-Time Transformation from Grz 



159 



appropriately until 0 = p m l . For instance, take a subformula 0' = p, ; 1 A p • x in 
0. Replace every occurrence of p, 1 A p ;1 in 0 by p fc>1 with 4>k = 4>i A <fij ■ The 
constraint formula C is updated as follows: C := C A n(p fc ^ <t=> (p^.i A Pyi))- 
The other cases are omitted and they use the decomposition from Figure 2. So, 
when 0 is equal to p m x , /(0, 1) G 54 iff C p m : G 54. It is easy to see that 
(AZi i/>i) => p m : G 54 iff C =>• p m 1 . Indeed, the set of conjuncts of C is a 
subset of the set of conjuncts of AHi 0*- So, if C => p m x G 54, then g(0) G 54. 
In order to show that the converse also holds, let us define the binary relation 
DEP between atomic propositions. Let p ii j i and p l2j2 be atomic propositions 
occurring in A;=i 0*- We write p it J| DEP p i2 - 2 to denote that there is a con- 
junct of A£Li 0i of the form □( , 0i <t=> 02 ) such that either p 4 occurs in 0^ and 
p i2 J2 occurs in 02 or p 4 occurs in ip' 2 and p J2 - 2 occurs in 0^. Let DEP* be the 
smallest equivalence relation including DEP. It is easy to see that if g((f> ) G 54, 
then C => p m -l G 54 since for all the atomic propositions q occurring in 0* 
but not in C, not qDEP*p m l . 

Theorem 2. Grz requires space in 0(n 2 .(log n) 3 ). 

An equivalent statement is that there exists a deterministic Turing machine 
in SPACE(0(n 2 .(log n) 3 )) that solves the Grz-provability problem. This follows 
from the facts that S4 requires space in 0(n 2 .log n) [Hud96], computing g(<f>) 
requires space in 0(\<j>\.log |0|), and \g(<j>)\ is in 0(\<j>\.log |0|). Putting these 
together gives that checking whether g(4>) is an S4-theorem requires space in 
0((|0| .log \cj)\) 2 .log(\cj)\ .log |0|)), that is space in 0(\cj)\ 2 .(log |0|) 3 )- By the way, 
one can show that Grz is PSPACE-lrarcl by using mappings from propositional 
intuitionistic logic into Grz (see e.g. [CZ97]). 



4 A Transformation from S4 into T 



Let h : For x u> x {0, 1} — > For be the following map (n G u>, i G {0, 1}): 



— for any p G Foro, h( p, n, 0) == h( p, n, 1) == p 

— h(-><j), n, i) = f -i h(cf>, n, 1 — i) 

— h(<j ) i A 02, n, i) = f h(4> i, n, i) A h((j> 2 , n, i ) 

— h(<j> i => 02 , n, i) = f h(0i, n, 1 — i) => /i(0 2 , n, z) 

— /i(D0, n, 1) == n/i(0, n, 1) 

_ , / n , „ n ,d.tf □”/i(0, n, 0) if n > 1 
^ ^ | n/i(0, n, 0) otherwise 



The map h is a slight variant of the map A4 s4,t defined in [CCM97] which 
itself is a variant of a map defined in [Fit88] . The main difference is that we 
do not assume that the formulae are in negative normal form (which is why a 
third argument dealing with polarity is introduced here) . In that sense, we follow 
[Fit88, Section 3]. Furthermore, since we are dealing here with validity instead 
of inconsistency, the treatment of the modal operators is dual. 




160 Stephane Demri and Rajeev Gore 



Lemma 3. For any formula £ For and for any 0 < m < n, 

(1) <f> <G> h(<f>, n , 0) € 54 and <f> <t=> h(<j>, n, 1) € 54. 

(2) hftf, n, 0) => h(<f, to, 0) £ T and h((f>, to, 1) =>■ hfcf, n, 1) £ T. 

( 3) h(4>, n, 0) =£• h(<f, n, 1) £ T. 

Proof. The proof of (1) uses the facts that the rule of replacement of equivalents 
is admissible in S4 and O n if 4 => Oif £ 54 for any n > 1 and for any if £ For. 
The proof of (2) is by simultaneous induction on the size of the formula. By way 
of example, let us show in the induction step that h{Ocf, n, 0) =>■ h(0<f, to, 0) £ T. 
By induction hypothesis, h(<j>, n, 0) => h(<f, to, 0) £ T. It is known that the reg- 
ular rule is admissible for T. So, by applying this rule n times on h(<f, n, 0) =>• 
h(<j),m, 0), we get that U n h((f, n, 0) => D n h((f, to, 0) £ T. Since O n h((f,m, 0) =4- 
O m h((f>,m, 0) £ T (remember to < n and □ if =>• if £ T ), then U n h(<f,n, 0) =>• 
U m h{4 > , to, 0) £ T. 

(3) If n = 0, then h(<f, n, 0) = h(<p, n, 1) = (f. Now assume n > 1. The proof 
is by induction on the structure of <p . The base case when (f is an atomic 
proposition is immediate. Let us treat the cases (f = —>(f' and cf = Ocf' in 
the induction step. By Induction Hypothesis, h(<f', n, 0) => h{(f', n, 1) £ T. 
By manipulation at the propositional level, 1) =£- n, 0) £ T. 

By definition of h, h(-xf',n, 0) => h(~>(f',n, 1) £ T. Moreover, by applying n 
times the regular rule (admissible in T) on h(<f',n, 0) h(cf',n, 1), we get 
O n h((ft, n, 0) O n hf(f\ n, 1) £ T. Moreover, 

— n n h((p, n, 1) => Uh{(f ' , n, 1) £ T ; 

— U n h[(f)f n, 0) = h(0(f\ n, 0); 

— □/;.((//, n, 1) = h(a<f r , n, 1). 

So, h(0(f r , n, 0) h{U<p', n, 1) £ T. 

The map h is extended to sets of formulae in the most natural way. 

Lemma 4. Let r b A be a sequent that has a (cut- free) proof II in G5 4 such 
that the maximum number of (b 0)g 4 -rule inferences in any branch is at most 
n. Then, hfr,n, 0) b h(A,n, 1) has a (cut-free) proof in GT. 

Lemma 4 is an extension of Lemma 2.2 in [CCM97]. 

Proof. The proof is by double induction on n and then on the length of the proof 
II of r b A. The length of II is just the number of nodes of the proof tree. 
Base case (if. n = 0. By definition, h(r, 0, 0) = r and h(A, 0, 1) = A. Any proof 
of r b A in G54 with no applications of (b n)s 4 is also a proof of T b A in GT. 
Induction step (i): assume that for any sequent T b A having a (cut-free) proof 
in GS4 such that the maximum number of (b □),s , 4 -rule inferences in any branch 
is at most n — 1 > 0, h(r, n — 1, 0) b h(A, n — 1, 1) has a (cut-free) proof in GT. 
Now, let r b A be a sequent that has a (cut-free) proof II in GS4 such that the 
maximum number of (b □)g 4 -rule inferences in any branch is at most n. We use 
an induction on the length of IT. 




An 0((n • logn) 3 )-Time Transformation from Grz 



161 



Base case (ii): r b A is an initial sequent b A' ,<j). By Lemma 3(3), 

h(<j), n, 0) =>■ h(</>, n, 1) £ T. So, h(<j>, n, 0) b h(<f>, n , 1) has a cut-free proof in 
GT by completeness of GT with respect to T. Hence, h(r', n, 0), h(<j>, n, 0) b 
h(A', n, 1), h((/>, n, 1) has a cut-free proof in GT. 

Induction step (ii): assume that for any sequent T b A having a (cut-free) proof 
77 of length at most n' — 1 > 1 in GS4 such that the maximum number of 
(b □)s 4 -rule inferences in any branch is at most n, h(T , n, 0) b h(A, n, 1) has a 
(cut-free) proof in GT. Now, let T b A be a sequent that has a (cut-free) proof 
77 in GS4 of length n! such that the maximum number of (b □) 54 -rule inferences 
in any branch is at most n. Among the Boolean connectives, we only treat here 
the case for the conjunction since the cases for -> and =>■ are similar. The proof 
77 below (in GST) 



r.^.^b a 

T', (j>\ A (f>2 b A 



7 ( A h ) 



is transformed into the proof below (in GT) using the induction hypothesis (ii) 



h(T', n, 0), h(<j) 1 , n, 0), hjfo, n, 0) b h(A', n, 1) 
h(T', n, 0), h((f> 1 A fa, n, 0) b h(A', n, 1) 

The proof IT below (in GS4) 



r'\- A', fa r'\- A', <h 
r b a', <t>i a </. 2 



(b A) 



is transformed into the proof below (in GT) using the induction hypothesis (ii) 



h(T', n, 0) b h(A', n, 1), h(cf> 1 , n, 1) h(T', n, 0) b h(A' , n, 1), h(</> 2 , n, 1) 
h(T', n, 0) b h(A', n, 1), h((f> 1 A fa, n, 1) 



(b A) 



Consider the proof II below: 



77' 



Ur " h 0 ,, X 

r\ nr" b ufa A’ ^ D - )s4 

In the proof 77' of □7 n " b 4> in GS4, the maximum number of (b □) 54 -rule 
inferences in any branch is less than n— 1. By induction hypothesis (i), h(OT" , n— 
1, 0) b h(4>, n— 1,1) has a cut-free proof, say 77" , in GT. So, the proof below is 




162 Stephane Demri and Rajeev Gore 



obtained in GT: 



n" 

U n ~ 1 h{r" , n — 1, 0) b h(<f>, n — 1, 1) 
h{r\ n, 0), n n h(r", n - 1, 0) b nh(<p, n - 1, 1), h(A', n, 1) ^ )T 

For ip £ r", h(ip, n, 0) =>• h(ip, n — 1, 0) £ T by Lemma 3(2). By using n appli- 
cations of the regular rule, for ip £ F " , n n h(ip,n, 0) => U n h(ip,n — 1,0) £ T. 
Similarly, by Lemma 3(2) h(0<p,n — 1,1) => h(Otp,n, 1) £ T. By soundness of 
GT, the formula Lp £ T where: 

T= ((A MtM,0))A( A □"/;#> n - 1,0))) => (h(a<p,n- 1,1) V \/ h(ip,n, 1)). 

For ip £ T", O n h(ip, n — 1, 0) occurs negatively in and h(0<p, n — 1,1) occurs 
positively in <p. By the Monotonicity of Entailment Lemma [AM86], 

(( A hty,n, 0))A( A O n h(ip, n , 0))) => (/?.(□ 0 , n, 1) V V n > !)) e t 

By completeness of GT, we get that /i(T', n, 0), /i(DT", n, 0) b h(U<p,n, 1), 
/i(Z\ / , n, 1) has a cut-free proof in GT. In order to conclude the proof, let us 
treat the last case. Consider the proof 77 below in G54: 



r',U(P,(p\- A! 
r' , up h A' 



(□b) 



By induction hypothesis (ii), h{r\ n, 0), n n h(</>, n, 0), h(<p, n, 0) b h(A\ n, 1) has 
a cut-free proof in GT. So, 

si = f h(r r , n, 0), U n h{(j>, n, 0), n n ~ 1 h(<p, n, 0), . . . 

. . . , □ h(<p, n , 0), h(<p, n, 0) b h(A', n, 1) 

has also a cut-free proof in GT. The above proof is transformed into (in GT) 



i (□ b) 

h{r\ n, 0), a n h{(p, n, 0), FT 1 h(cp, n, 0), ■ ■ ■ , Ohjcp, n, 0) b h{A' , n, 1) 

h(r\ n, 0), U n h{(j), n , 0), □ n ~ 1 h{(p, n, 0), . . . , n 2 h(<j), n , 0) b h(A', n , 1) 

h(r\ n, 0), n n h(<p, n, 0), □ w ~ 1 fe(<(), n, 0) b h(A’, n, 1) 
h(r', n, 0), h(U(p, n, 0) b h(A', n, 1) 




An 0((n • logn) 3 )-Time Transformation from Grz 



163 



Lemma 5. Let r b A be a sequent such that the number of negative occurrences 
of □ in Vy>g/i ^ * s n - If T \- A has a (cut-free) proof in G Sf, then 

r b A has a (cut- free) proof in G Sf such that the (b D)s4 -rule is applied at most 
n + 1 times to the same formula in every branch. 



Lemma 5 is also an extension of Lemma 2.4 in [CCM97]. However, its proof 
mainly relies on the analysis of the proof of [CCM97, Lemma 2.4]. So it is 
included here in order to make the paper self-contained. 



Proof. First, observe that if r b A is derivable in GST and if 'if has a negative 
[resp. positive] occurrence in (A^gr < t > ) ^ (V<£g/i A)> then for any cut-free proof 
77 of r b A, every occurrence of if in 77 can only occur in the left-hand side 
[resp. in the right-hand side] of sequents. So if the inference below 



nr" b <f 

A, nr" b □</>, A' 



(h n) S A 



occurs in a proof 77 of T b A, then any □'</; G or" occurs with negative polarity 
in (Afflgr'W ^ Moreover, consider the following (b n)s 4 inferences 

in a proof 77 of r b A: 



□ 7^ b <j> 2 

AAA 2 b nf> 2 ,A 2 



(h n) S 4 



□A'’b fa 

A, nr{ b n ( f 1 ,A 1 



(h n) S 4 



Then r[ C Pf Let 77 be a (cut-free) proof of 7 b A in GS4. Assume there is 
a branch in 77 containing n + 1 + k (k > 1) (b D)s 4 inferences introducing the 
same formula Dip. Let us eliminate at least one (b n)s 4 inference on that branch 
as done in [CCM97]. Consider the sequence inf±, . . . , inf n+ \ + k of inferences of 
the form (1 < i < n + 1 + k), 



A, nr/ b □ if, A i 



(h n) S 4 



We assume that if i < j, then infj occurs above inf). Let A be the set of the 
formulae of the form □ 'if' where niff has a negative occurrence in (A^gr ^ 
(V^g a <f)- Since r[ C . . . C rf +1+k and card(r') = n, there exist io € {1, . . . , n+ 
1} and jo € {*o, . . . , n + 2} such that A = A So, in that branch of II, we can 




164 Stephane Demri and Rajeev Gore 



replace the sequence shown below left by the sequence shown below right: 

n' 



ur> o b * 



r jo , nr< 0 ^ Ac 

q A h ^ 

1- a ^Ao 



q)s4 


w 


q)s4 


ur( b ^ 

„ , , , (i- q)s4 

Ao> q^ 0 ^ q^; Ao 



Theorem 3. A formula <f £ 54 iff h(<j>, (mwn(<j>) + 1 ).mwp{<t>), 1) € T. 

Theorem 3 is a mere consequence of Lemma 4 and Lemma 5. Its proof uses the 
sequent calculi GS4 and G T whereas in [CCM97] the proofs manipulate Fitting’s 
non prefixed calculi for S4 and T [Fit83] . Observe the map h is a variant of a 
map defined in [Fit88]. Let us write to denote the formula h(<j), ( mwn(q i) + 
l).mwp(^), 1). 

By close examination of the definition of h! (</)), 

1. computing h'(<j>) requires time in 0{ |<^| 3 ); 

2. \h!(4>)\ is in 0(|<^| 3 ). 

So a formula (f> € Grz iff h'(g(<j))) € T. 

1. Computing h'(g(4>)) requires time in 0((\<j>\.log |</>|) 3 ) (remember mwp(g(4>)) 
+mwn(g(<j))) is in 0(\(/)\); 

2 - \ti(g{4>))\ is in om-log I'/'l) 3 )- 

The relational translation from T into FO 2 (see e.g. [Ben83]) with a smart 
recycling of the variables requires only linear-time and the size of the translated 
formula is also linear in the size of the initial formula. We warn the reader that 
in various places in the literature it is stated that the relational translation ex- 
ponentially increases the size of formulae; this is erroneous. Using this “smart” 
relational transformation, the composition of various transformations in the pa- 
per provides an 0{(n.log n) 3 )-time transformation from Grz into the decidable 
fragment FO 2 of classical logic. It is easy to see that the resulting formula is 
in the guarded fragment of classical logic (see e.g. [ANB98]), for which a proof 
procedure based on resolution is proposed in [Niv98] . Alternatively, after trans- 
lating Grz into T, the techniques from [Sch97] could also be used to translate T 
into classical logic. These are possibilities to obtain a decision procedure for Grz 
using theorem provers for classical logic. 

We are currently investigating whether this translation can be extended to 
first-order Grz (FOGrz). But the set of valid formulae for first-order Gbdel-Lob 
logic, a close cousin of FOGrz, is not recursively enumerable [Boo93, Chapt. 17], 
and we suspect that this result also holds for FOGrz. 




An 0((n • logn) 3 )-Time Transformation from Grz 



165 



References 



AM86. 

ANB98. 



Avr84. 

Bel82. 

Ben83. 

Ben99. 

BH94. 

Boo93. 

CCM97. 

CZ97. 

DG98. 

DG99. 

dMP95. 

Fit83. 

Fit88. 

Fiir81. 



GHH97. 

GHMS98. 

Gor94. 

Gor99. 



M. Abadi and Z. Manna. Modal theorem proving. In J. H. Siekmann, editor, 
CADE-8, pages 172-189. Springer Verlag, LNCS 230, 1986. 

H. Andreka, I. Nemeti, and J. van Benthem. Modal languages and bounded 
fragments of predicate logic. Journal of Philosophical Logic, 27(3):217-274, 

1998. 

A. Avron. On modal systems having arithmetical interpretations. The 
Journal of Symbolic Logic, 49(3):935-942, 1984. 

N. Belnap. Display logic. Journal of Philosophical Logic, 11:375-417, 1982. 
J. van Benthem. Modal logic and classical logic. Bibliopolis, 1983. 

J. van Benthem. The Range of Modal Logic - An Essay in Memory of 
George Gargov. Journal of Applied Non-Classical Logics, 1999. To appear. 
Ph. Balbiani and A. Herzig. A translation from the modal logic of provability 
into K4. Journal of Applied Non-Classical Logics, 4:73-77, 1994. 

G. Boolos. The Logic of Provability. Cambridge University Press, 1993. 

S. Cerrito and M. Cialdea Mayer. A polynomial translation of S4 into T and 
contraction-free tableaux for S4. Logic Journal of the IGPL, 5(2):287-300, 
1997. 

A. Chagrov and M. Zakharyaschev. Modal Logic. Clarendon Press, Oxford, 
1997. 

S. Demri and R. Gore. An 0((n.log n) 3 )-time transformation from Grz 
into decidable fragments of classical first-order logic. In 2nd International 
Workshop on First-Order Theorem Proving, Vienna, pages 127-134. TU- 
Wien Technical Report E1852-GS-981, 1998. 

S. Demri and R. Gore. Theoremhood preserving maps as a characterisation 
of cut elimination for provability logics. Technical Report, A.R.P., A.N.U., 

1999. Forthcoming. 

G. d’Agostino, A. Montanari, and A. Policriti. A set-theoretical translation 
method for polymodal logics. Journal of Automated Reasoning, 15:317-337, 
1995. 

M. Fitting. Proof methods for modal and intuitionistic logics. D. Reidel 
Publishing Co., 1983. 

M. Fitting. First-order modal tableaux. Journal of Automated Reasoning, 
4:191-213, 1988. 

M. Fiirer. The computational complexity of the unconstrained limited 
domino problem (with implications for logical decision problems). In Logi- 
cal machines: Decision problems and complexity, pages 312-319. LNCS 171, 
Springer- Verlag, 1981. 

R. Gore, W. Heinle, and A. Heuerding. Relations between propositional nor- 
mal modal logics: an overview. Journal of Logic and Computation, 7(5):649- 
658, 1997. 

H. Ganzinger, U. Hustadt, C. Meyer, and R. Schmidt. A resolution-based 
decision procedure for extensions of K4. In 2nd Workshop on Advances in 
Modal Logic (AiML’98), Uppsala, Sweden, 1998. to appear. 

R. Gore. Cut-free sequent and tableau systems for propositional Diodorian 
modal logics. Studia Logica, 53:433-457, 1994. 

R Gore. Tableaux methods for modal and temporal logics. In M. d’Agostino, 
D. Gabbay, R. Hahnle, and J. Posegga, editors, Handbook of Tableaux Meth- 
ods. Kluwer, Dordrecht, 1999. To appear. 




166 Stephane Demri and Rajeev Gore 



Her89. 

Hud96. 

Lad77. 

Lew80. 

Min88. 

Mor75. 

Mor76. 

Niv98. 

Non96. 

Ohl88. 

Ohl93. 

01il98. 

OM57. 

Pap94. 

Rau83. 

Sch97. 

Sol76. 

Var97. 



A. Herzig. Raisonnement automatique en logique modale et algorithmes 
d’uniftcation. PhD thesis, Universite P. Sabatier, Toulouse, 1989. 

J. Hudelmaier. Improved decision procedures for the modal logics K, T and 
S4. In H. Buning, editor, Computer Science Logic (CSL’95), pages 320-334. 
LNCS 1092, Springer- Verlag, 1996. 

R. Ladner. The computational complexity of provability in systems of modal 
propositional logic. SIAM Journal of Computing, 6(3):467-480, 1977. 

H. Lewis. Complexity results for classes of quantificational formulas. Journal 
of Computer and System Sciences, 21:317-353, 1980. 

G. Mints. Gentzen-type and resolution rules part I: propositional logic. In 
P. Martin-Lof and G. Mints, editors, International Conference on Computer 
Logic, Tallinn, pages 198-231. Springer Verlag, LNCS 417, 1988. 

M. Mortimer. On language with two variables. Zeitschrift fur Mathematik 
Logik und Grundlagen der Mathematik, 21:135-140, 1975. 

Ch. Morgan. Methods for automated theorem proving in non classical logics. 
IEEE Transactions on Computers, 25(8):852-862, 1976. 

H. de Nivellc. A resolution decision procedure for the guarded fragment. In 
C. Kirchner and H. Kirchner, editors, CADE-15, Lindau, Germany, pages 
191-204. LNAI 1421, Springer- Verlag, 1998. 

A. Nonnengart. Resolution-based calculi for modal and temporal logics. In 
M. McRobbie and J. Slaney, editors, CADE-13, pages 599-612. LNAI 1104, 
Springer- Verlag, 1996. 

H.J. Ohlbach. A resolution calculus for modal logics. PhD thesis, FB Infor- 
matik Univ. of Kaiserslautern, 1988. 

H.J. Ohlbach. Optimized translation of multi modal logic into predicate 
logic. In A. Voronkov, editor, LPAR '93, pages 253-264. Springer- Verlag, 
LNAI 698, 1993. 

H. J. Ohlbach. Combining Hilbert style and semantic reasoning in a res- 
olution framework. In C. Kirchner and H. Kirchner, editors, CADE-15, 
Lindau, Germany, pages 205-219. LNAI 1421, Springer- Verlag, 1998. 

M. Ohnishi and K. Matsumoto. Gentzen method in modal calculi. Osaka 
Mathematical Journal, 9:113-130, 1957. 

Ch. Papadimitriou. Computational Complexity. Addison- Wesley Publishing 
Company, 1994. 

W. Rautenberg. Modal tableau calculi and interpolation. The Journal of 
Philosophical Logic, 12:403-423, 1983. 

R. Schmidt. Optimised Modal Translation and Resolution. PhD thesis, 
Fakultat der Universitat des Saarlandes, 1997. 

R. Solovay. Provability interpretations of modal logics. Israel Journal of 
Mathematics, 25:287-304, 1976. 

M. Vardi. Why is modal logic so robustly decidable? In Descriptive com- 
plexity and finite models, A.M.S., 1997. 




Implicational Completeness of Signed Resolution 



Christian G. Fermiiller 



Institut fiir Computersprachen 
Technische Universitat 
Resselgasse 3/3/E185.2 
A- 1040 Wien, Austria 
ChrisFOlogic . at 



1 Implicational Completeness - A Neglected Topic 

Every serious computer scientist and logician knows that resolution is complete 
for first-order clause logic. By this, of course, one means that the empty clause 
(representing contradiction) is derivable by resolution from every unsatisfiable 
set of clauses S. However, there is another less well known - concept of com- 
pleteness for clause logic, that is often referred to as “Lee’s Theorem” (see, e.g., 
[8]): Char-tung Lee’s dissertation [7] focused on an interesting observation that 
(in a corrected version and more adequate terminology) can be stated as follows: 

Theorem 1 (Lee). Let S be a set of clauses. For every non-tautological clause 
C that is logically implied by S there is clause D, derivable by resolution from 
S, such that D subsumes C. 

Observe that this theorem amounts to a strengthening of refutational com- 
pleteness of resolution: If S is unsatisfiable then it implies every clause; but the 
only clause that subsumes every clause (including the empty clause) is the empty 
clause, which therefore must be derivable by resolution from S according to the 
theorem. 

At least from a logical point of view, Lee’s “positive” completeness result 
is as interesting as refutational completeness. Nevertheless this classic result - 
which we prefer to call implicational completeness of resolution - is not even 
mentioned in most textbooks and survey articles on automated deduction. The 
main reason for this is probably the conception that implicational completeness, 
in contrast to refutational completeness, is of no practical significance. Moreover, 
it fails for all important refinements of Robinson’s original resolution calculus. 
In addition, Lee’s proof [7] is presented in an unsatisfactory manner (to say the 
least) . A fourth reason for the widespread neglect of implicational completeness 
might be the fact that Lee (and others at that time) did not distinguish between 
implication and subsumption of clauses. However, nowadays, it is well known 
that the first relation between clauses is undecidable [10], whereas sophisticated 
and efficient algorithms for testing the latter one are at the core of virtually 
all successful resolution theorem provers (see, e.g., [4]). With hindsight, this is 
decisive for the significance of Lee’s Theorem. 



R. Caferra and G. Salzer (Eds.): Automated Deduction, LNAI 1761, pp. 167—174, 2000. 
(c) Springer- Verlag Berlin Heidelberg 2000 




168 



Christian G. Fermiiller 



We will provide a new and independent proof of implicational completeness in 
a much more general setting, namely signed resolution. An additional motivation 
is that this result is needed for an interesting application: computing optimal 
rules for the handling of quantifiers in many- valued logics (see [9]). In fact, we 
provide a self-contained presentation of signed resolution (compare [5,2]). 

Readers mainly interested in classical logic are reminded that classical clause 
logic is just the simplest case of signed resolution. Even for this special case our 
proof is new and independent from the (rather intricate) ones presented in [7] 
and [8]. 



2 Signed Clause Logic 



Atomic formulae - or: atoms - are build up from predicate, function and variable 
symbols as usual. (Constants are considered as function symbols of arity 0.) By 
the Herbrand base (corresponding to some signature) we mean the set of all 
ground atoms; i.e., atoms that do not contain variable symbols. We consider the 
reader to be familiar with other standard notions, like substitution, most general 
unifier (mgu) etc. 

Let W be a fixed finite set; here always considered as the set of truth values. 
A literal (over W) is an expression S: P, where P is an atom and S C W. A 
(signed) clause is a finite set of literals. 1 

An assignment associates truth values (i.e., elements of W) with atoms. A 
complete assignment to a set of atoms K is defined as a set of literals {{^>(P)}: P \ 
P £ K}, where ^ is a total function from K to W. An (Herbrand-) interpretation 
is a complete assignment of the Herbrand base. 

For any set of atoms K the corresponding literal set AIK) is the set {V: A I 
A € K,V C W,V 0}. 

To assist concise statements about the relation between arbitrary sets of 
literals we use the following notation: 

For a set of literals C let C be the equivalent set that consists of singleton- 
as-sign literals only. More exactly, C = {{u}: A j S: A £ C, v € S}. We say that 
C is contained in another set of literals D if C C D. 

An interpretation I satisfies a clause set S iff for all ground instances C' of 
each C € S: C' f! I ^ 0. I is called an H-model of S. S is (H-)unsatisfiable if 
it has no H-model. Since an analogue of Herbrand’s theorem holds for signed 
clause logic (see, e.g., [1,2]) we can restrict our attention to H-models. 

The significance of this notions lies in the fact that formulae of any first-order 
finite- valued logic can effectively be translated to finite sets of signed clauses in 
such a way that the clause set is unsatisfiable iff the original formula is valid in 
the source logic. (See, e.g., [6,2] for a detailed presentation of this fact.) 

1 In classical clause logic we have W = {true, false}. Literals true: P and false: P 
are traditionally denoted as simply as P and ->P, respectively. 




Implicational Completeness of Signed Resolution 169 



3 Signed Resolution 



The conclusion of the following inference rule: 



{S:P}UCi {R:Q}UC 2 
({SnR:P}UC 1 UC 2 )o 



binary resolution 



is called a binary resolvent of the variable disjoint parent clauses {S': P} U C\ 
and {R: Q} U C 2 , if S ^ R and o is an mgu of the atoms P and Q. 

Like in the classical case we need a factorization rule to obtain a refutationally 
complete calculus: 



C_ 

Co 



factorization 



where o is an mgu of a subset of C. Co is called a factor of C. 

The combination of factorization and binary resolution does not yet guaran- 
tee that the empty clause can be derived from all unsatisfiable sets of clauses. 
We also have to remove literals with empty signs by the following simplification 
rule. 

C U {0: P} 

simplification 



C is called a simplification of C' if it results from C' by removing all literals with 
empty sign. (I.e., by applying the simplification rule to C' as often as possible.) 

The merging rule unites literals that share the same atom. It is not needed 
for completeness but helps to reduce the search space and to simplify the com- 
pleteness proof. 3 



{S 1 :P}U,..U{S n :P}UC 
{Si U . . . U S n : P} U C 



merging 



C is called a normal form or normalized version of C' if it results from C' by 
applying the simplification rules and the merging rule to C' as often as possible. 
I.e., all literals with empty signs are removed and all different literals in C have 
different atoms. 

One can combine factoring, simplification, merging, and binary resolution 
into a single resolution rule. This corresponds to a particular strategy for the 
application of these rules. 

The following alternative version of signed resolution can be considered as 
a combination of a series of binary resolution and simplification steps into one 
“macro inference step” , called hyperresolution in [5] . 



{Si: Pi} U Ci ... {S n :P n }UC n 
(Cl U . . . U C n )o 



hyperresolution 



2 Alternatively, one can dispose with the simplification rule by defining a clause to be 
empty if all literals have empty sets as signs. 

3 The merging rule is needed for completeness if clauses are not treated modulo 
idempotency of disjunction (e.g., as multisets as opposed to sets). 




170 



Christian G. Fermiiller 



where Si n . . . fl S n = 0 and a is the mgu of the atoms Pi (1 < i < n). The 
conclusion is called a hyperresolvent. 

It is useful to consider resolution as a set operator (mapping sets of clauses 
into sets of clauses) . 

Definition 1. For a set of clauses S let IZb(S) be the set of all binary resolvents 
of (variable renamed) normalized factors of clauses in S. The transitive and 
reflexive closure of the set operator 7 Zb is denoted by TZ* b . 

Similarly, we define 7Z m (S) as the set of all hyperresolvents of (variable re- 
named) normalized factors of clauses in S. 7 denotes the transitive and re- 
flexive closure oflZ m . 

Definition 2. A resolution operator 1Z is refutationally complete if for all 
clause sets S, S unsatisfiable implies {} G 7Z*(S). 

A resolution operator 1Z is called implicationally complete if for all clause 
sets S and clauses C , either C is a tautology or C is subsumed by some C' £ 
7 Z*(S) whenever S implies C. 

Observe that hyperresolution does not enjoy implicational completeness: 
Consider, e.g., the propositional clauses 

{{it, v}: A} and {{it, te}:4}, 

where u,v,w are pairwise different truth values. The hyperresolution rule is not 
applicable. The (non-tautological) clause {{it}: 4} is implied by {{{it, u}: 4}, 
{{it, it)}: 71} }, without being subsumed by one of its members. 

4 Implication and Subsumption 

Definition 3. For a clause C = {Si: Pi, ... S n : P n } let 



h C] = {{W - Si: Pi')}, ...{W-S n : P„ 7 }}, 



where 7 is a substitution that replaces each variable in C by a new constant. 
(W is the set of all truth values.) 

Proposition 1. For every clause C and interpretation / 4 : 1 is a model of [~^C] 
iff I does not satisfy C. 

Proof. Follows from the definition of [- 1 C] . 

Definition 4. A clause C subsumes a clause D if some instance of C is con- 
tained in D; more formally: if C6 C D, for some substitution 8. A set of 
clauses S implies a clause C if all models of S satisfy C. 

4 Of course, the Herbrand universe has to include also the new constants occurring 
in [-iC]. 




Implicational Completeness of Signed Resolution 171 



We state some simple facts about implication of clauses and subsumption. 

Proposition 2. Let C and D be clauses. If C subsumes D then {C} implies D. 

Proof. Follows from the definitions of subsumption and implication, respectively. 

Observe that the converse of Proposition 2 does not hold. E.g., {{«}: P{x), 
{u}: P(f(x)} implies but does not subsume {{it}: P(x), {u}: P(f(f(x))} if u ^ v. 
Whereas the problem to decide whether a clause C subsumes a clause D is NP- 
complete (see [3], it is undecidable whether { C } implies D , in general as proved 
in [10]. 

Proposition 3. Let S be a clause set and C be a non-tautological clause. S 
implies C iff S U [— >C7] is unsatisfiable. 

Proof. Follows from Proposition 1 and the definition of implication. 



Lemma 1. Let C and D be non-tautological clauses. C subsumes D iff there 
exists a ground substitution 8 s.t. {C9} U [~^D\ is unsatisfiable. 

Proof. =>: Suppose Ca C D. Then also Cuy C Dy, where 7 is the substitution 
replacing every variable by a new constant in [->£)]. This implies that for each 
literal V: A € Caj, there is a clause of form { V A } G [~^D] such that VC\V' = 0. 
This means that {Cuy} U [~^D\ is unsatisfiable. 

7=: Suppose {C6} U [~^D] is unsatisfiable, where C8 is ground. Since D is 
non-tautological, [->£>] is satisfiable. Therefore, for each literal {'(;}: A € C9 there 
has to exist a clause { S : A} £ [->£)] s.t. v fL S. This implies C9 C D. In other 
words: C subsumes D. 



5 Semantic Trees for Signed Clause Logic 

Our completeness proof is based on the concept of semantic trees. It differs 
from the proofs in [1] and [6]; but generalizes the completeness proof in [2] for 
singletons-as-signs resolution to (unrestricted) signed resolution. 

As usual in automated deduction, we consider a tree as growing downwards; 
i.e. the root is the top node of a tree. A node or edge a is above a node or edge j3 
if a is part of the path (considered as alternating sequence of nodes and edges) 
connecting f3 with the root. A branch of T is a path that starts with the root 
and either is infinite or else ends in a leaf node of T. 

Definition 5. Let W be a finite set of truth values and I\ be a set of ground 
atoms. For any subset A of the literal set A(K) of K we say that A omits the 
assignment Ak to I\ if An Ak = 0- A finitely branching tree T is a semantic tree 
for I\ if finite, non-empty subsets of A(K) label the edges of T in the following 
way: 




172 



Christian G. Fermiiller 



(1) The set of the sets of literals labeling all edges leaving one node is an H- 
unsatisfiable set of clauses. 

(2) For each branch ofT the union of the sets of literals labeling the edges of the 
branch omits exactly one complete assignment Ak to I\. For short, we say 
that the branch omits Ak as well as any interpretation containing Ak- 

(3) For each complete assignment Ak to I\ there is a branch ofT s.t. this branch 
omits Ak- 

The union of all sets of literals labeling the edges of the path from the root down 
to some node a of T forms the refutation set of a. 

For a set of clauses S any semantic tree T for A(S) represents an exhaus- 
tive survey of all possible H-interpretations. Each branch omits exactly one H- 
interpretation and each H-interpretation is omitted by at least one branch. 

Definition 6. A clause C fails at a node a of a semantic tree T if some ground 
instance of C is contained in the refutation set of that node. A node a is a failure 
node for a clause set S if some clause of S fails at a but no clause in S fails at a 
node above a. A node is called an inference node if all of its successor nodes are 
failure nodes. T is closed for S if there is a failure node for S on every branch 
ofT. 



Theorem 2. A set of clauses S is unsatisfiable iff there is a finite subset K C 
A(S) s.t. every semantic tree for I\ is closed for S. 

Proof. =>: Let T be a semantic tree for A(S), the Herbrand base of S. By 
definition of a semantic tree, any branch B of T omits exactly one complete 
assignment to A(S), which extends to an H-interpretation A4 of S. If S is unsat- 
isfiable then A4 does not satisfy all clauses in S. This means that there is some 
ground instance C' of a clause C in S s.t. C' fl M = 0. But since B omits only 
the literals of A(A(S)) that are true in Jvi this implies that the union of labels 
of the edges of B contains C'\ i.e., C is contained in the refutation set of some 
node of B. We have thus proved that every branch of T contains a failure node 
for some clause of S. In other words, T is closed for S. Moreover, by Konig’s 
Lemma, the number of nodes in T that are situated above a failure node is fi- 
nite. But this implies that for each unsatisfiable set of clauses S there is a finite 
unsatisfiable set S' of ground instances of clauses of S. Since any semantic tree 
that is closed for S' is also closed for S it is sufficient to base the tree on a finite 
subset of A(S): the set K of ground atoms occurring in S'. Observe that we have 
not imposed any restriction on the form of the tree. Thus every semantic tree 
for I\ is closed for S. 

<=: Let T be a closed semantic tree for a finite K C A(S). Suppose M. is an 
H-model of S\ i.e. for all ground instances C' of C £ S we have AiC\ C" 0. By 
definition of a semantic tree, M is omitted by some branch B of T. Since T is 
closed, some clause C € S fails at a node a of B. That means that some ground 
instance C' of C is contained in the refutation set of a. Therefore JA(1 C' ^ lb 




Implicational Completeness of Signed Resolution 173 



implies that M. contains some literal that also occurs in some refuation set of a 
node on B. But this contradicts the assumption that B omits JA. Therefore S 
is unsatisfiable. 

Theorem 2 is the basis for refutional completeness proofs for many different 
versions and refinements of signed resolution (see [2]). Our task here is to show 
that it can be used to prove implicational completeness as well. 

6 Implicational Completeness 

Theorem 3. IZb is implicationally complete. More precisely, if C is a non- 
tautological clause that is implied by a set of clause S then there exists a D £ 
TZl(S) s.t. D subsumes C. 

Proof. By Propositon 3 5 0 [->(7] is unsatisfiable. Hence, by Theorem 2 there 
is a finite subset K of A(S U [— >C7]) s.t. every semantic tree for K is closed for 
SU[-.C]. 

Let [->(7] = {{Vi: Ai} , . . . , { V n : A n }} and W be the set of all truth values. 
Since (7 is non-tautological W — p is not empty. Without loss of generality we 
may assume (7 to be normalized; i.e., A t ^ Aj if i j. We choose a semantic 
tree T for K that starts with the following subtree: 




[W-Vy.AA 

{W - P 2 : A 2 } / \P 2 : A 2 } 



{W-V n :A n \ 



C^n+1 




v n : A , J 



The subtrees of T rooted in the nodes a\, . . . , a n , respectively, are arbitrary 
(since these nodes obviously are failure nodes). 

For the construction of the subtree T n +i of T rooted in a„+i we have to 
take care that it does not contain a failure node for any clause in [— 1 < 7 ] . This can 
be achieved as follows. Let Vf , ... , P x fc be the subsets of Pi that contain all but 
one element of Pi. (If Pi is a singleton simply skip this part of the construction 
of T.) Attach k successor nodes /3i , . . . , (3k to a n+ \. Label the edges to these new 
nodes by {Pi 1 : A{\, . . ., { Vf : Ai}, respectively. Clearly, the refutation set of /3i 
(1 < i < k) omits exactly one assignment to the atom A\. By proceeding in the 
same way for A 2 , . . . A n we arrive at a partial semantic tree Tq, each branch of 
which omits exactly one assignment to the atoms occurring in [-i(7]. Thus no 
literals signing atoms of [~<C} will have to occur below Tc- Therefore we can 





174 



Christian G. Fermiiller 



assume that the only failure nodes in T of clauses in [~<C] are aq, . . .,a n . In 
other words: all failure nodes in T n+ i are failure nodes for clauses in S. 

The only restriction (in addition to the requirement that T is a semantic tree 
for I \ ) that we pose on the structure of T below Tc is that the literals labeling 
edges directly connected to a common node all contain the same atom. This 
way the following statement is easily seen to follow from condition (1) of the 
definition of a semantic tree. 

(R) Let a be an inference node in T. Let C\, . . . C n be the clauses failing 
at its successor nodes (3\,...(3 n , respectively. Then some resolvent D G 
n* b {{C u . . .C n }) fails at a. 

Since T is closed for S U [- 1 C] it must contain at least one inference node. 
Therefore, by iteratively adding resolvents to 5U[->(7] and applying (R), we must 
eventually derive a clause D that fails at the node a„+i- Since T n+ 1 contains no 
failure nodes for clauses in [~^C] we conclude that D G 7 2|(S). By Theorem 2 it 
follows that{D0} U [->(7] is unsatisfiable, where 9 is a ground substitution such 
that DO is contained in the refutation set of node a n +\. By Lemma 1 it follows 
that D subsumes C. 

References 

1. M. Baaz. Automatisches Beweisen fiir endlichwertige Logiken. In Jahrbuch 1989 
der Kurt Godel-Gesellschaft, pages 105-107. Kurt Godel Society, 1989. 

2. M. Baaz and C. G. Fermiiller. Resolution-based theorem proving for many-valued 
logics. J. Symbolic Computation , 19:353-391, 1995. 

3. M.S. Garey and D.S. Johnson. Computers and Intractability: A Guide to the Theory 
of NP- Completeness. Freeman, San Francisco, 1979. 

4. G. Gottlob and A. Leitsch. On the efficiency of subsumbtion algorithms. Journal 
of the ACM , 32(2):280-295, 1985. 

5. R. Hahnle. Automated Deduction in Multiple-valued Logics. Clarendon Press, 
Oxford, 1993. 

6. R. Hahnle. Short conjunctive normal forms in finitely-valued logics. Journal of 
Logic and Computation, 4(6):905-927, 1994. 

7. R.C.T. Lee. A completeness theorem and a computer program for finding theorems 
derivable from given axioms. Ph.D. Thesis, University of California, Berkely, 1967. 

8. A. Leitsch. The Resolution Calculus. Springer, Berlin, Heidelberg, New York, 1997. 

9. G. Salzer. Optimal axiomatizations for multiple-valued operators and quantifiers 
based on semi-lattices. In 13th Int. Conf. on Automated Deduction (CADE’96), 
LNCS (LNAI). Springer, 1996. 

10. M. Schmidt-Schauss. Implication of clauses is undecidable. Theoretical Computer 
Science, 59:287-296, 1988. 




An Equational Re-engineering of Set Theories* 



Andrea Formisano 1 and Eugenio Omodeo 2 

1 University “La Sapienza” of Rome, Department of Computer Science 

f ormisanOdsi . uniromal . it 

2 University of L’Aquila, Department of Pure and Applied Mathematics 

omodeoOunivaq. it 



This is hence the advantage of our method: that immediately ■ ■ ■ and with the 
only guidance of characters and through a safe and really analytic method , we 
bring to light truths that others had barely achieved by an immense mind effort 
and by chance. And therefore we are able to present within our century results 
which, otherwise, the course of many thousands of years would hardly deliver. 

(G. W. Leibniz, 1679) 



Abstract. New successes in dealing with set theories by means of state- 
of-the-art theorem-provers may ensue from terse and concise axiomatiza- 
tions, such as can be moulded in the framework of the (fully equational) 
Tarski-Givant map calculus. In this paper we carry out this task in detail, 
setting the ground for a number of experiments. 

Keywords: Set Theory, relation algebras, first-order theorem-proving, 
algebraic logic. 



1 Introduction 

Like other mature fields of mathematics, Set Theory deserves sustained efforts 
that bring to light richer and richer decidable fragments of it [6] , general inference 
rules for reasoning in it [35, 2], effective proof strategies based on its domain- 
knowledge [3], and so forth. 

Advances in this specialized area of automated reasoning tend to be steady 
but slow compared to the overall progress in the field. Many experiments with 
set theories have hence been carried out with standard theorem-proving systems. 
Still today such experiments pose considerable stress on state-of-the-art theorem 
provers, or demand the user to give much guidance to proof assistants; they 
therefore constitute ideal benchmarks. Moreover, in view of the pervasiveness of 
Set Theory, they are likely — when successful in something tough — to have a 
strong echo amidst computer scientists and mathematicians. Even for those who 
are striving to develop something entirely ad hoc in the challenging arena of set 
theories, it is important to assess what can today be achieved by unspecialized 
proof methods and where the context-specific bottlenecks of Set Theory precisely 
reside. 

* Work partially supported by the CNR of Italy, coordinated project • • • • , and by 
MURST 40%, “Tecniche speciali per la specifica, l’analisi, la verifica, la sintesi e la 
trasformazione di programmi”. 



R. Caferra and G. Salzer (Eds.): Automated Deduction, LNAI 1761, pp. 175—190, 2000. 
(c) Springer- Verlag Berlin Heidelberg 2000 




176 Andrea Formisano and Eugenio Omodeo 



In its most popular first-order version, namely the Zermelo-Skolem-Fraenkel 
axiomatic system ZF, set theory (very much like Peano arithmetic) presents 
an immediate obstacle: it does not admit a finite axiomatization. This is why 
the von Neumann-Bernays-Godel theory GB of sets and classes is sometimes 
preferred to it as a basis for experimentation [4, 34, 27]. Various authors (e.g., 
[19, 23, 24]) have been able to retain the traits of ZF, by resorting to higher-order 
features of specific theorem-provers such as Isabelle. 

In this paper we will pursue a minimalist approach, proposing a purely equa- 
tional formulation of both ZF and finite set theory. Our approach heavily relies 
on [33], but we go into much finer detail with the axioms, resulting in such a 
concise formulation as to offer a good starting point for experimentation (with 
Otter [18], say, or with a more markedly equational theorem-prover) . Our formu- 
lation of the axioms is based on the formalism £ x of [33] (originating from [32]), 
which is equational and devoid of variables, but somewhat out of standards. 
Luckily, a theory stated in £ x can easily be emulated through a first-order 
system, simply by treating the meta-variables that occur in the schematic for- 
mulation of its axioms (both the logical axioms and the ones endowed with a 
genuinely set-theoretic content) as if they were first-order variables. In practice, 
this means treating ZF as if it were an extension of the theory of relation al- 
gebras [17, 29, 21, 8, 10]; an intuitive explanation — a rough one, in view of 
well-known limitative results — 1 of why we can achieve a finite axiomatization 
is that variables are not supposed to range over sets but over the dyadic (i.e. 
binary) relations on the universe of sets. 

Taken in its entirety, Set Theory offers a panorama of alternatives (cf. [28] , 
p.x); that is, it consists of axiomatic systems not equivalent (and sometimes 
antithetic, cf. [20]) to one another. This is why we will not produce the axioms 
of just one theory and will also touch the theme of ‘individuals’ (ultimate entities 
entering in the formation of sets). Future work will expand the material of this 
paper into a toolkit for assembling set theories of all kinds — after we have singled 
out, through experiments, formulations of the axioms that work decidedly better 
than others. 

2 Syntax and Semantics of C x 

C x is a ground equational language where one can state properties of dyadic 
relations — MAPS, as we will call them — over an unspecified, yet fixed, domain 
U of discourse. In this paper, the map whose properties we intend to specify is 
the membership relation £ over the class U of all sets. The language £ x consists 
of map equalities Q—R , where Q and R are map expressions: 



1 Two crucial limitative results are: that no consistent extension of the Zermelo theory 
is finitely axiomatizable (Montague, 1961), and that the variety of representable 
relation algebras is not finitely based (Monk, 1964). 




An Equational Re-engineering of Set Theories 



177 



Definition 1 . Map expressions are all terms of the following signature: 



symbol : 


0 


1 


L 


G 


n 


A 


o 


-1 


- 


\ 


U 


t 


degree : 


0 


0 


0 


0 


2 


2 


2 


1 


1 


2 


2 


2 


priority : 










5 


3 


6 


7 




2 


2 


4 



(Of these, PI, A, o, \, U, f will be used as left-associative infix operators, 1 as a 
postfix operator, and — as a line topping its argument.) □ 

For an interpretation of C x , one must fix, along with a nonempty U , a subset 
G 9 of U 2 = 0et U xW. Then each map expression P comes to designate a specific 
map P' 5 (and, accordingly, any equality Q—R between map expressions turns 
out to be either true or false), on the basis of the following evaluation rules: 

0 9 =Def0> H- 9 =DefW 2 , i 9 = Def {[a,a] : a in U } ; 

(QHi?) 9 = Def { [a, b\eQ* : {a, b]eR*}; 

(QAP) 9 = Def { [a, b] G U 2 : [a, b] G Q 9 if and only if [a, b] ^ f? 9 }; 

(Qoi?) 9 = De{ {[a,b\eU 2 : 

there are cs in U for which [a, c] G Q 9 and [c, 6] G P 9 }; 

(Q " 1 ) 9 =w(M : [M]GQ 9 }. 

Of the operators and constants in the signature of £ x , only a few deserve 
being regarded as primitive constructs; indeed, we choose to regard as derived 
constructs the ones for which we gave no evaluation rule, as well as others that 
we will tacitly add to the signature: 



P = Def pat 


PtQ = Def PoQ 


P\Q =De, PGQ 


funPart(P) = Def P\Poi 


PUQ = Def P\Q 


etc. 



The interpretation of C x obviously extends to the new constructs; e.g., 

(PfQ) 9 = Def { [a, b\ Gif 2 : for all c in U , either [a, c] G P 9 or [c, b] G Q 9 }, 
funPart( P ) 0 = Def {[a, b] G P 9 : [a, c] ^ P 9 for any c 6}, 

so that funPart(P)=P will mean “P is a partial function”, very much like 

Fun( P ) to be seen below. 

Through abbreviating definitions, we can also define shortening notation for 
map equalities that follow certain patterns, e.g., 

Fun(P) = Def P” 1 oPV=0 
Total(P) = Def PolL=l 

so that Total( P ) states that for all a in U there is at least one pair [a, b] in P 9 . 

Remark 1. ft is at times useful (cf. [5]) to represent a map expression P by a 
labeled oriented graph G with two designated nodes s o , s i named source and 
sink, whose edges are labeled by sub-expressions of P. 

A non-deterministic algorithm to construct G, so, Si runs as follows: either 

— G consists of a single edge, labeled P, leading from sq to Si; or 






178 Andrea Formisano and Eugenio Omodeo 



— P is of the form Q _1 , and G, si,so (with source and sink interchanged) 
represents Q ; or 

— P is of the form QoR , the disjoint graphs G' , sq, s 2 and G", s 2 , Si represent 
Q and R respectively, and one obtains G by combination of G' with G" by 
‘gluing’ s 2 onto s 2 to form a single node; or 

— P is of the form QDR, the disjoint graphs G' , s' 0: s[ and G " , s' 0 ', s” represent 
Q and R respectively, and one obtains G from G' and G" by gluing onto 
Sq to form so and by gluing s" onto s' x to form si. 

As an additional related convention, one can either 

— label both so and Si by V, to convert a representation G, s o, Si of P into a 
representation of the equality P—H; or 

— label both so and si by 3, to represent the inequality P^0 (which is a short 
for the equality 1 oPoU= 1L); or 

— label the source by V and the sink by 3, to represent the statement Total( P ). 

□ 



3 Specifying Set Theories in C x 

One often strives to specify the class C of interpretations that are of interest in 
some application through a collection of equalities that must be true in every 3 
of C. The task we are undertaking here is of this nature; our aim is to capture 
through simple map equalities the interpretations of £ that comply with 

— standard Zermelo-Fraenkel theory, on the one hand; 

— a theory of finite sets ultimately based on individuals, on the other hand. 



In part, the game consists in expressing in C x common set-theoretic notions. 
To start with something obvious, 

^ =DefS, 3 =Def G , =Def 9 1 

£o£i • • • £ n = Def £o o£i o ■ ■ ■ o£„, where each £j stands for one of £, 3, 1. 

To see something slightly more sophisticated: 



Example 1. With respect to an interpretation 3, one says that a intersects b if a 
and b have some element in common, i.e. , there is a c for which c£a and c£^b. 
A map expression P such that P a = { [a, b] £ U 2 : a intersects b} is 3£. 

Likewise, one can define in C x the relation a includes b (i.e., ‘no element 
of b fails to belong to a’), by the map expression ^£. The expression 3§?Ui. 
translates the relation a is strictly included in 6, and so on. 

Let a splits b mean that every element of a intersects b and that no two 
elements of a intersect each other. These conditions translate into the map ex- 
pression defined as follows: 

splits = Def ( jff 3£ )n( 3fi3o( 3 enr) )o£. 

□ 



Secondly, the reconstruction of set theory within C x consists in restating 
ordinary axioms (and, subsequently, theorems), through map equalities. 




An Equational Re-engineering of Set Theories 



179 



Example 2. One of the many ways of stating the much-debated AXIOM OF CHOICE 
(under adequately strong remaining axioms) is by claiming that when a splits 
some b, there is a c which is also split by a and which does not strictly include 
any other set split by a. Formally: 

(Ch) Total( spl itso ILUspI its \ splitso3^Ut ), 

where the second and third occurrence of splits could be replaced by JffBG- 

The original version of this axiom in [36] stated that if a is a set whose 
elements all are sets endowed with elements and mutually disjoint, then (J a 
includes at least one subset having one and only one element in common with 
each element of a. To relate this version of (Ch) with ours, 2 notice that a set 
a splits some b if and only if a consists of pairwise disjoint non- void sets (and, 
accordingly, a splits (J a). Moreover, an inclusion-minimal c split by a must have 
a singleton intersection with each d in a (otherwise, of two elements in cfl d, 
either one could be removed from c) ; conversely, if c is included in (J a and 
has a singleton intersection with each d in a, then none of its elements e can 
be removed (otherwise c \ {e} would no longer intersect the d in a to which e 
belongs) . □ 

In the third place, we are to prove theorems about sets by equational rea- 
soning, moving from the equational specification of the set axioms. To discuss 
this point we must refer to an inferential apparatus for £ x ; we hence delay this 
discussion to much later (cf. Sec. 8). 



4 Extensionality, Subset, Sum-Set, and Power-Set 
Axioms 

Two derived constructs, d and 3\ will be of great help in stating the properties 
of membership simply: 

9{P) = Def P o0, T(P) = DeC d(P)\Poe. 

Plainly, ad( Q)^b and aT( R ) b will hold in an interpretation 3 if and only if, 
respectively, 

— all cs in U for which aQ^c holds are ‘elements’ of b (in the sense that cG'A): 

— the elements of b are precisely those c in U for which aR'^c holds. 

Our first axiom, extensionality, states that sets are the same whose ele- 
ments are the same: 

(E) ?{3)=i. 

A useful variant of this axiom is the scheme Fun(T(P)), where P ranges 
over all map expressions. 

Two rather elementary postulates, the power-set axiom and the SUM-SET 
axiom, state that for any set a, there is a set comprising as elements all sets 
included in a, and there is one which comprises all elements of elements of a: 

(Vow) Total( d( ^G ) ), 

For 19 alternative versions of this axiom, cf. [25], p.309. 



2 




180 Andrea Formisano and Eugenio Omodeo 



( Un ) Total( d( 33 ) ). 

A customary strenghtening of the sum-set axiom is the transitive embed- 
ding axiom, stating that every b belongs to a set a which is transitively closed 
w.r.t. membership, in the sense specified by trans here below: 

(T) Total( gotrans ), where trans = Def uC\d{ 33 ). 

Here, by requiring trans' 5 to be contained in t , we have made it represent 
a collection of sets; then, the further requirement that trans' 5 be contained in 
d(33)' s amounts to the condition that cE^a holds when a,d, and c are such 
that a trans' 5 a, a3^d, and d3' i c hold. 

The SUBSET axioms enable one to extract from any given a the set b consisting 
of those elements of a that meet a condition specified by means of a predicate 
expression P. In this form, still overly naive, this ‘separation’ principle could 
be stated as simply as: Total( T( 3I~I P) ). This would suffice (taking 0 as P) to 
ensure the existence of a null set, devoid of elements. We need the following more 
general form of separation (whence the previous one is obtained by taking i as 

Q)- 

(S) Total( T( funPart( Q )o3flP ) ). 

The latter states that to every set a, there corresponds a set b which is null un- 
less there is exactly one d fidfilling aQ^d, and which in the latter case consists 
of all elements c of d for which aP^c holds. 

Example 3. Plainly, funPart( 3 ) J is the map holding between c and d in U iff 
c = {d}, i.e. d is the sole element of c; moreover funPart( 3ofunPart( 3 ) is the 
map holding between a and d iff there is exactly one singleton c in a and d is 
the element of that particular c. Thus, the instance 

Total( T( funPart( 3ofunPart( 3 ) )o3n^ ) ) 
of (S) states that to every set a there corresponds a set b which is null unless 
there is exactly one singleton c = {d} in a, and which in the latter case consists 
of all elements of d that do not belong to a. □ 



5 Pairing and Finiteness Axioms 

A list 7To,7Ti, ...,Tr n of maps are said to be CONJUGATED QUASI-PROJECTIONS 
if they are (partial) functions and they are, collectively, surjective, in the sense 
that for any list a$, ... ,a n of entities in U there is a b in U such that irfib) = ai 
for i = 0, 1, . . . , n. We assume in what follows that 7To, 7 Ti are map expressions 
designating two conjugated quasi-projections. It is immaterial whether they are 
added as primitive constants to £ x , or they are map expressions suitably chosen 
so as to reflect one of the various notions of ordered pair available around, and 
subject to axioms that are adequate to ensure that the desired conditions, namely 
(Pair) 7 Tq 1 07Ti = 1L, Fun(7r 0 ), Fun(7Ti), 63=1, 

hold (cf. [33], pp. 127-135) . Notice that the clause (Pair) 4 of this pairing axiom 
will become superfluous when the replacement axiom scheme will enter into play 
(cf. [16], pp.9-10). 




An Equational Re-engineering of Set Theories 



181 



Example 4- A use of the is that they enable one to represent set-theoretic 
functions by means of entities / of U such that no two elements 6, c of / for 
which 7Tq yields a value have 7Tq (b) = tvq (c). Symbolically, we can define the 
class of these single-valued sets as 

sval = Def l fl <roG, where er = Def 3o( 7r 0 O7TQ 1 fir). 

Cantor’s classical theorem that the power-set of a set has more elements than 
the set itself can be phrased (cf. [2], p.410) as follows: for every set a and for 
every function f, there is a subset b of a which is not ‘ hit ' by the function f 
(restricted to the set a in question). 3 A rendering of this theorem in £ x could be 
Total( ^Gf13ofunPart( P ) ), but this would not faithfully reflect the idea that 
the theorem concerns set-theoretic functions rather than functions, funPart(P), 
of C x . The distinction is subtle but important, because the subsets F oiU 2 that 
candidate as values for map expressions are not necessarily entities of the same 
kind as the ‘sets’ / belonging to U\ on the one hand, F qualifies as a function 
when no two pairs [a, b], [ a,d } in F share the same first component and differ 
in their second components; on the other hand, / qualifies as a ‘function’ when 
/ svaC / holds — the convenience to require also that 7 Tq (d) and 7rf (d) both exist 
for each dG^/ seems to be a debatable matter of taste. 

The typical use of 7To and tti is illustrated by a translation of Cantor’s 
theorem more faithful than the above, which exploits the possibility to encode 
the pair a, f by an entity c with 7Tq (c) = a and irf (c) = /: 

Total( 7r 0 o^Gn( 7r 0 o3o7rQ 1 ri7rio( oT3 ) )o7Ti ) (er as before). 

The latter states that to every c there corresponds a b such that 

— if it exists, 7Tq (c) includes 6; 

— if 7Tq (c) = a and 7rf (c) = / both exist, then b ^ 7rf (d) for any d in / such 

that 7Tq (d) = e exists and belongs to a and no d! in / other than d fulfills 
7To (d') = e- □ 



A standard technique used to derive statements of the form Total( T( R ) ), 
which are often very useful, is by breaking T( R ) into an equivalent expression of 
the form ( Po7Tq 1 ri7r)” 1 )oT( 7roo3ri7riO(5 ), where Total(P) is easier to prove. 
Exploiting the graph representation of map expressions introduced in Remark 1, 
this situation can be depicted as follows: 




The desired totality of T(i?) will then follow, in view of (Pair ) 1 and of (S), 
(Pair) 2 . For example, by means of the instantiation P = Gotrans, Q = l of 

3 This was one of the first major theorems whose proof was automatically found by a 
theorem prover, cf. [1]. This achievement originally took place in the framework of 
typed lambda-calculus. 




182 Andrea Formisano and Eugenio Omodeo 



this proof scheme, we obtain Total( T( i ) ), where T( i ) designates the singleton- 
formation operation a i— > {a} on U; then, by taking 

P = ( ( 7ToU7ToOlL )o6n( 7riU7TiOlL )o3 r ( l) o£ )od( 33 ) 

and 

Q = 7r 0 o3U7ri, 

we obtain the totality of T( 7Too3U7ri ), which designates the adjunction op- 
eration [a,b\ i — > sU {6}. Similarly, one gets the totality of T( ffE ), 3^ 33), 
3 r ( 7r 0 U7ri ), of any 3 r ( R ) such that both R\Q — 0 and Total( d(Q)) are known 
for some Q , etc. Even the full (S) could be derived with this approach from its 
restrained version Total( 3 r ( 7Too3n7TioP ) ). 

Under the set axioms (E), (Vow), (S), (Pair) introduced so far, it is rea- 
sonable to characterize a set a as being finite if and only if every set b of which 
a is an element has an element which is minimal w.r.t. inclusion (cf. [31], p.49). 
Intuitively speaking, in fact, the set formed by all infinite cs in the power-set 
p( a ) of a has no minimal elements when a is infinite, because every such c re- 
mains infinite after a single-element removal. Conversely, if a belongs to some b 
which has no minimal elements, then the intersection of b with p( a ) has no min- 
imal elements either, and hence a is infinite. In conclusion, to instruct a theory 
concerned exclusively with finite sets, one can adopt the following finiteness 
axiom: 

(F) finite^/,, where finite = Def z,n( io( 6D( (lU^E )f$? ) )f^ ). 

Here, by requiring finite' 5 to be contained in i we have made it represent a 
collection of sets (the collection of all sets, if (F) is postulated); then, the fur- 
ther requirement that finite' 5 be contained in ( io( en( ( lU^E )f fL ) )f ) 
amounts to the condition that when both a finite' 5 a and b3'*a hold, there is a 
cE^b such that no dE^b other than c itself is included in c. 

6 Bringing Individuals into Set Theory: Foundation and 
Plenitude Axioms 

Taken together with the foundation axiom to be seen below, the axioms (E), 
(Vow), (T), (S), (Pair), and (F) discussed above constitute a full-blown theory 
of finite sets. However, they do not say anything about individuals (or ‘urele- 
ments’, cf. [14]), entities that common sense places at the bottom of the formation 
of sets. These are not essential for theoretical development, but useful to model 
practical situations. To avoid a revision of (E) — necessary, if we wanted to treat 
individuals as entities devoid of elements but different from the null set — let us 
agree that individuals are self-singletons a = {a} (cf. [28], pp. 30-32). Moreover, 
to bring plenty of individuals into U (at least as many individuals as there are 
sets, hence infinitely many individuals), we require that there are individuals 
outside the sum-set of any set. Here comes the PLENITUDE AXIOM: 

(Ur) Total( 33our), where ur E De[ in?(i). 

To develop a theory of pure sets, one will postulate ‘lack’ of individuals, by 
adopting the axiom ur=0 instead of plenitude. 




An Equational Re-engineering of Set Theories 



183 



When individuals are lacking, the FOUNDATION (or ‘regularity’) axiom en- 
sures that the membership relation G u is cycle- free — more generally, under in- 
finity and replacement axioms (see Sec. 7 below), it can be used to prove that G' 5 
is well-founded on U (cf. [7], Ch.2 Sec. 5). Regularity is usually stated as follows: 
when some b belongs to a, there is a c also belonging to a that does not intersect 
a. On the surface, this statement has the same structure as the version of the 
axiom of choice seen at the end of Sec. 2; in C x it can hence be rendered by 

Total(3UU3\3G). 

Example 5. To ascertain that the existence of a membership cycle would conflict 
with regularity stated in the form just seen, one can use singleton-formation 
together with the adjunction operation and with the quasi-projections 7 To,7Ti, 
to form the set a = {6o, . . . , b n } out of any given list bo, ■ ■ ■ , b n of sets. If, by 
absurd hypothesis, &oG 9 &iG 9 • • • G 9 6„G®&o could hold, then every element bj of 
a would intersect a, since fruG^aflfro and G' s an6, would hold for i = 1 , . . . , n. 

□ 



To reconcile the above statement of regularity with individuals, we can recast 
it as 

(R) Total( ( ^Ulour )f 0U3\3o( i.\ur)oG\lfour), 

which means: unless every b in a is an individual, there is a c in a such that 
every element ofaHc is an individual and c itself is not an individual. 

As is well-known (cf. [16], p.35), foundation helps one in making the defini- 
tions of basic mathematical notions very simple. In our framework, we propose 
to adopt the following definition of the class of natural numbers : 4 
nat = Def l n ( 3o( J( 3Ui ) \ l )f(tU G)n 31 ), 
which means: a is a natural number if for every b in a U {a} other than the null 
set, there is a c in a such that b = c U {c} and b ^ c. 

7 An Infinity Axiom and the Replacement Axioms 

Similarly, under the foundation axiom, the definition of ordinal numbers becomes 
ord = Def ( trans\3ourolL )n( ^f( GU/.U3 )f£ ), 
where trans is the same as in (T), hence trans\i.=0 holds, and hence (thanks to 
(R)) ( GU/.U3 )f$? requires that an ordinal be totally ordered by membership. 

The existence of infinite sets is often postulated by claiming that ord\nat is 
not empty: To( ord\nat )o£=lL, or equivalently Total( To( ord\nat ) ). The fol- 
lowing more essential formulation of the INFINITY axiom, based on [22] and 
presupposing (R-)- seems preferable to us: 5 

(I) Total( To( d{ 33 )n<9( 33 ) _1 \G\3V\9o6A3oG ) ). 

4 From this simple start one can rapidly reach the definition of important data struc- 
tures, e.g., ordered and oriented finite trees. 

5 Here, like in the case of (Ur) (which could have been stated more simply as 
3 o*“), our preference goes to a formulation whose import is as little de- 
pendent as possible from the remaining axioms. 




